- Add policy for lsmd

- Add support for /var/log/mariadb dir and allow mysqld_safe to lis
- Update condor_master rules to allow read system state info and al
- Add labeling for /etc/condor and allow condor domain to write it
- Allow condor domains to manage own logs
- Allow glusterd to read domains state
- Fix initial hypervkvp policy
- Add policy for hypervkvpd
- Fix redis.if summary
This commit is contained in:
Miroslav Grepl 2013-08-23 10:14:37 +02:00
parent 166758b455
commit 18df0dd62c
2 changed files with 693 additions and 42 deletions

View File

@ -12763,7 +12763,7 @@ index 3f6e4dc..88c4f19 100644
mta_getattr_spool(comsat_t) mta_getattr_spool(comsat_t)
diff --git a/condor.fc b/condor.fc diff --git a/condor.fc b/condor.fc
index 23dc348..7cc536b 100644 index 23dc348..c4450f7 100644
--- a/condor.fc --- a/condor.fc
+++ b/condor.fc +++ b/condor.fc
@@ -1,4 +1,5 @@ @@ -1,4 +1,5 @@
@ -12772,6 +12772,15 @@ index 23dc348..7cc536b 100644
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
@@ -8,6 +9,8 @@
/usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
/usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0)
+/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0)
+
/var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
/var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0)
diff --git a/condor.if b/condor.if diff --git a/condor.if b/condor.if
index 3fe3cb8..5fe84a6 100644 index 3fe3cb8..5fe84a6 100644
--- a/condor.if --- a/condor.if
@ -13229,10 +13238,20 @@ index 3fe3cb8..5fe84a6 100644
+ ') + ')
') ')
diff --git a/condor.te b/condor.te diff --git a/condor.te b/condor.te
index 3f2b672..95daaa7 100644 index 3f2b672..39f85e7 100644
--- a/condor.te --- a/condor.te
+++ b/condor.te +++ b/condor.te
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) @@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
+
type condor_log_t;
logging_log_file(condor_log_t)
@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t)
type condor_var_run_t; type condor_var_run_t;
files_pid_file(condor_var_run_t) files_pid_file(condor_var_run_t)
@ -13242,7 +13261,7 @@ index 3f2b672..95daaa7 100644
condor_domain_template(collector) condor_domain_template(collector)
condor_domain_template(negotiator) condor_domain_template(negotiator)
condor_domain_template(procd) condor_domain_template(procd)
@@ -57,10 +60,15 @@ condor_domain_template(startd) @@ -57,15 +63,20 @@ condor_domain_template(startd)
# Global local policy # Global local policy
# #
@ -13257,16 +13276,22 @@ index 3f2b672..95daaa7 100644
+allow condor_domain self:udp_socket create_socket_perms; +allow condor_domain self:udp_socket create_socket_perms;
+allow condor_domain self:unix_stream_socket create_stream_socket_perms; +allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms; +allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t) -append_files_pattern(condor_domain, condor_log_t, condor_log_t)
@@ -86,13 +94,12 @@ allow condor_domain condor_master_t:tcp_socket getattr; -create_files_pattern(condor_domain, condor_log_t, condor_log_t)
-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
@@ -86,13 +97,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
kernel_read_kernel_sysctls(condor_domain) kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain) kernel_read_network_state(condor_domain)
-kernel_read_system_state(condor_domain) -kernel_read_system_state(condor_domain)
+
+
corecmd_exec_bin(condor_domain) corecmd_exec_bin(condor_domain)
corecmd_exec_shell(condor_domain) corecmd_exec_shell(condor_domain)
@ -13276,18 +13301,19 @@ index 3f2b672..95daaa7 100644
corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain)
@@ -106,9 +113,7 @@ dev_read_rand(condor_domain) @@ -106,9 +114,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain) dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain) dev_read_urand(condor_domain)
-logging_send_syslog_msg(condor_domain) -logging_send_syslog_msg(condor_domain)
-
-miscfiles_read_localization(condor_domain)
+auth_read_passwd(condor_domain) +auth_read_passwd(condor_domain)
-miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
tunable_policy(`condor_tcp_network_connect',` tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain) corenet_sendrecv_all_client_packets(condor_domain)
@@ -125,7 +130,7 @@ optional_policy(` @@ -125,7 +133,7 @@ optional_policy(`
# Master local policy # Master local policy
# #
@ -13296,25 +13322,27 @@ index 3f2b672..95daaa7 100644
allow condor_master_t condor_domain:process { sigkill signal }; allow condor_master_t condor_domain:process { sigkill signal };
@@ -133,6 +138,8 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) @@ -133,6 +141,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+can_exec(condor_master_t, condor_master_exec_t) +can_exec(condor_master_t, condor_master_exec_t)
+
+kernel_read_system_state(condor_master_t)
+ +
corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t)
@@ -150,7 +157,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) @@ -152,6 +164,8 @@ domain_read_all_domains_state(condor_master_t)
domain_read_all_domains_state(condor_master_t) auth_use_nsswitch(condor_master_t)
-auth_use_nsswitch(condor_master_t)
+auth_read_passwd(condor_master_t)
+logging_send_syslog_msg(condor_master_t)
+
optional_policy(` optional_policy(`
mta_send_mail(condor_master_t) mta_send_mail(condor_master_t)
@@ -169,6 +176,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; mta_read_config(condor_master_t)
@@ -169,6 +183,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t) kernel_read_network_state(condor_collector_t)
@ -13323,7 +13351,7 @@ index 3f2b672..95daaa7 100644
##################################### #####################################
# #
# Negotiator local policy # Negotiator local policy
@@ -178,6 +187,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; @@ -178,6 +194,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr; allow condor_negotiator_t condor_master_t:udp_socket getattr;
@ -13332,7 +13360,17 @@ index 3f2b672..95daaa7 100644
###################################### ######################################
# #
# Procd local policy # Procd local policy
@@ -201,6 +212,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; @@ -185,7 +203,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
-allow condor_procd_t condor_startd_t:process sigkill;
+allow condor_procd_t condor_domain:process sigkill;
+
domain_read_all_domains_state(condor_procd_t)
@@ -201,6 +220,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@ -13341,7 +13379,7 @@ index 3f2b672..95daaa7 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
@@ -209,6 +222,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) @@ -209,6 +230,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@ -13350,7 +13388,7 @@ index 3f2b672..95daaa7 100644
##################################### #####################################
# #
# Startd local policy # Startd local policy
@@ -233,11 +248,10 @@ domain_read_all_domains_state(condor_startd_t) @@ -233,11 +256,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t) mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t) init_domtrans_script(condor_startd_t)
@ -13363,7 +13401,7 @@ index 3f2b672..95daaa7 100644
optional_policy(` optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t) ssh_domtrans(condor_startd_t)
@@ -249,3 +263,7 @@ optional_policy(` @@ -249,3 +271,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t) kerberos_use(condor_startd_ssh_t)
') ')
') ')
@ -25262,10 +25300,10 @@ index 0000000..1ed97fe
+ +
diff --git a/glusterd.te b/glusterd.te diff --git a/glusterd.te b/glusterd.te
new file mode 100644 new file mode 100644
index 0000000..7244e2c index 0000000..06e17e3
--- /dev/null --- /dev/null
+++ b/glusterd.te +++ b/glusterd.te
@@ -0,0 +1,167 @@ @@ -0,0 +1,169 @@
+policy_module(glusterfs, 1.0.1) +policy_module(glusterfs, 1.0.1)
+ +
+## <desc> +## <desc>
@ -25394,6 +25432,8 @@ index 0000000..7244e2c
+dev_read_sysfs(glusterd_t) +dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t) +dev_read_urand(glusterd_t)
+ +
+domain_read_all_domains_state(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t) +domain_use_interactive_fds(glusterd_t)
+ +
+fs_mount_all_fs(glusterd_t) +fs_mount_all_fs(glusterd_t)
@ -29487,6 +29527,76 @@ index e207823..4e0f8ba 100644
userdom_dontaudit_use_unpriv_user_fds(howl_t) userdom_dontaudit_use_unpriv_user_fds(howl_t)
userdom_dontaudit_search_user_home_dirs(howl_t) userdom_dontaudit_search_user_home_dirs(howl_t)
diff --git a/hypervkvp.fc b/hypervkvp.fc
new file mode 100644
index 0000000..2a69ee4
--- /dev/null
+++ b/hypervkvp.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
+
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
diff --git a/hypervkvp.if b/hypervkvp.if
new file mode 100644
index 0000000..7743be5
--- /dev/null
+++ b/hypervkvp.if
@@ -0,0 +1,21 @@
+
+## <summary>policy for hypervkvp</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the hypervkvp domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hypervkvp_domtrans',`
+ gen_require(`
+ type hypervkvp_t, hypervkvp_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+')
diff --git a/hypervkvp.te b/hypervkvp.te
new file mode 100644
index 0000000..fd3b26b
--- /dev/null
+++ b/hypervkvp.te
@@ -0,0 +1,28 @@
+policy_module(hypervkvp, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hypervkvp_t;
+type hypervkvp_exec_t;
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
+
+type hypervkvp_initrc_exec_t;
+init_script_file(hypervkvp_initrc_exec_t)
+
+########################################
+#
+# hypervkvp local policy
+#
+#
+
+allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
+allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
+
+logging_send_syslog_msg(hypervkvp_t)
+
+miscfiles_read_localization(hypervkvp_t)
+
+sysnet_dns_name_resolve(hypervkvp_t)
diff --git a/i18n_input.te b/i18n_input.te diff --git a/i18n_input.te b/i18n_input.te
index 3bed8fa..a738d7f 100644 index 3bed8fa..a738d7f 100644
--- a/i18n_input.te --- a/i18n_input.te
@ -35685,6 +35795,163 @@ index b9270f7..15f3748 100644
+optional_policy(` +optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
') ')
diff --git a/lsm.fc b/lsm.fc
new file mode 100644
index 0000000..711c04b
--- /dev/null
+++ b/lsm.fc
@@ -0,0 +1,5 @@
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
+
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+
+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/lsm.if b/lsm.if
new file mode 100644
index 0000000..f3e94d7
--- /dev/null
+++ b/lsm.if
@@ -0,0 +1,103 @@
+
+## <summary>lsmd SELINUX policy </summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the lsmd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lsmd_domtrans',`
+ gen_require(`
+ type lsmd_t, lsmd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lsmd_exec_t, lsmd_t)
+')
+########################################
+## <summary>
+## Read lsmd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lsmd_read_pid_files',`
+ gen_require(`
+ type lsmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute lsmd server in the lsmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lsmd_systemctl',`
+ gen_require(`
+ type lsmd_t;
+ type lsmd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 lsmd_unit_file_t:file read_file_perms;
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, lsmd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an lsmd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lsmd_admin',`
+ gen_require(`
+ type lsmd_t;
+ type lsmd_var_run_t;
+ type lsmd_unit_file_t;
+ ')
+
+ allow $1 lsmd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, lsmd_t)
+
+ files_search_pids($1)
+ admin_pattern($1, lsmd_var_run_t)
+
+ lsmd_systemctl($1)
+ admin_pattern($1, lsmd_unit_file_t)
+ allow $1 lsmd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
index 0000000..14fe4d7
--- /dev/null
+++ b/lsm.te
@@ -0,0 +1,31 @@
+policy_module(lsm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lsmd_t;
+type lsmd_exec_t;
+init_daemon_domain(lsmd_t, lsmd_exec_t)
+
+type lsmd_var_run_t;
+files_pid_file(lsmd_var_run_t)
+
+type lsmd_unit_file_t;
+systemd_unit_file(lsmd_unit_file_t)
+
+########################################
+#
+# lsmd local policy
+#
+allow lsmd_t self:capability { setgid };
+allow lsmd_t self:process { fork };
+allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+
+logging_send_syslog_msg(lsmd_t)
diff --git a/mailman.fc b/mailman.fc diff --git a/mailman.fc b/mailman.fc
index 7fa381b..bbe6b01 100644 index 7fa381b..bbe6b01 100644
--- a/mailman.fc --- a/mailman.fc
@ -42853,7 +43120,7 @@ index 97370e4..92138ca 100644
+ apache_search_sys_content(munin_t) + apache_search_sys_content(munin_t)
+') +')
diff --git a/mysql.fc b/mysql.fc diff --git a/mysql.fc b/mysql.fc
index c48dc17..f93fa69 100644 index c48dc17..6355fb4 100644
--- a/mysql.fc --- a/mysql.fc
+++ b/mysql.fc +++ b/mysql.fc
@@ -1,11 +1,24 @@ @@ -1,11 +1,24 @@
@ -42889,7 +43156,7 @@ index c48dc17..f93fa69 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
@@ -13,13 +26,15 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) @@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@ -42905,6 +43172,7 @@ index c48dc17..f93fa69 100644
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
@ -43444,7 +43712,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1) + mysql_stream_connect($1)
') ')
diff --git a/mysql.te b/mysql.te diff --git a/mysql.te b/mysql.te
index 9f6179e..0f6abcb 100644 index 9f6179e..94457fe 100644
--- a/mysql.te --- a/mysql.te
+++ b/mysql.te +++ b/mysql.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -43617,7 +43885,7 @@ index 9f6179e..0f6abcb 100644
seutil_sigchld_newrole(mysqld_t) seutil_sigchld_newrole(mysqld_t)
') ')
@@ -153,29 +160,22 @@ optional_policy(` @@ -153,29 +160,23 @@ optional_policy(`
####################################### #######################################
# #
@ -43643,6 +43911,7 @@ index 9f6179e..0f6abcb 100644
-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@ -43653,7 +43922,7 @@ index 9f6179e..0f6abcb 100644
kernel_read_system_state(mysqld_safe_t) kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t)
@@ -187,17 +187,21 @@ dev_list_sysfs(mysqld_safe_t) @@ -187,17 +188,21 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t)
@ -43681,7 +43950,7 @@ index 9f6179e..0f6abcb 100644
optional_policy(` optional_policy(`
hostname_exec(mysqld_safe_t) hostname_exec(mysqld_safe_t)
@@ -205,7 +209,7 @@ optional_policy(` @@ -205,7 +210,7 @@ optional_policy(`
######################################## ########################################
# #
@ -43690,7 +43959,7 @@ index 9f6179e..0f6abcb 100644
# #
allow mysqlmanagerd_t self:capability { dac_override kill }; allow mysqlmanagerd_t self:capability { dac_override kill };
@@ -214,11 +218,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; @@ -214,11 +219,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@ -43708,7 +43977,7 @@ index 9f6179e..0f6abcb 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
@@ -226,31 +231,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) @@ -226,31 +232,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@ -67802,6 +68071,368 @@ index 9a8f052..3baa71a 100644
+ +
+ unconfined_domain_noaudit(realmd_consolehelper_t) + unconfined_domain_noaudit(realmd_consolehelper_t)
') ')
diff --git a/redis.fc b/redis.fc
new file mode 100644
index 0000000..638d6b4
--- /dev/null
+++ b/redis.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
+
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
+
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if
new file mode 100644
index 0000000..72a2d7b
--- /dev/null
+++ b/redis.if
@@ -0,0 +1,271 @@
+
+## <summary>redis-server SELinux policy</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the redis domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`redis_domtrans',`
+ gen_require(`
+ type redis_t, redis_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, redis_exec_t, redis_t)
+')
+
+########################################
+## <summary>
+## Execute redis server in the redis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_initrc_domtrans',`
+ gen_require(`
+ type redis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
+')
+########################################
+## <summary>
+## Read redis's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`redis_read_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Append to redis log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_append_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Manage redis log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_log',`
+ gen_require(`
+ type redis_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, redis_log_t, redis_log_t)
+ manage_files_pattern($1, redis_log_t, redis_log_t)
+ manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
+')
+
+########################################
+## <summary>
+## Search redis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_search_lib',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ allow $1 redis_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read redis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_read_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage redis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_lib_files',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage redis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_manage_lib_dirs',`
+ gen_require(`
+ type redis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read redis PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`redis_read_pid_files',`
+ gen_require(`
+ type redis_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, redis_var_run_t, redis_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute redis server in the redis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`redis_systemctl',`
+ gen_require(`
+ type redis_t;
+ type redis_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, redis_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an redis environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`redis_admin',`
+ gen_require(`
+ type redis_t;
+ type redis_initrc_exec_t;
+ type redis_log_t;
+ type redis_var_lib_t;
+ type redis_var_run_t;
+ type redis_unit_file_t;
+ ')
+
+ allow $1 redis_t:process { ptrace signal_perms };
+ ps_process_pattern($1, redis_t)
+
+ redis_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 redis_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, redis_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, redis_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, redis_var_run_t)
+
+ redis_systemctl($1)
+ admin_pattern($1, redis_unit_file_t)
+ allow $1 redis_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/redis.te b/redis.te
new file mode 100644
index 0000000..e5e9cf7
--- /dev/null
+++ b/redis.te
@@ -0,0 +1,62 @@
+policy_module(redis, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type redis_t;
+type redis_exec_t;
+init_daemon_domain(redis_t, redis_exec_t)
+
+type redis_initrc_exec_t;
+init_script_file(redis_initrc_exec_t)
+
+type redis_log_t;
+logging_log_file(redis_log_t)
+
+type redis_var_lib_t;
+files_type(redis_var_lib_t)
+
+type redis_var_run_t;
+files_pid_file(redis_var_run_t)
+
+type redis_unit_file_t;
+systemd_unit_file(redis_unit_file_t)
+
+########################################
+#
+# redis local policy
+#
+
+allow redis_t self:process { setrlimit signal_perms };
+allow redis_t self:fifo_file rw_fifo_file_perms;
+allow redis_t self:unix_stream_socket create_stream_socket_perms;
+allow redis_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
+manage_files_pattern(redis_t, redis_log_t, redis_log_t)
+manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
+
+manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+
+manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
+
+kernel_read_system_state(redis_t)
+
+corenet_tcp_bind_generic_node(redis_t)
+corenet_tcp_bind_redis_port(redis_t)
+
+dev_read_sysfs(redis_t)
+dev_read_urand(redis_t)
+
+logging_send_syslog_msg(redis_t)
+
+miscfiles_read_localization(redis_t)
+
+sysnet_dns_name_resolve(redis_t)
+
diff --git a/remotelogin.fc b/remotelogin.fc diff --git a/remotelogin.fc b/remotelogin.fc
index 327baf0..d8691bd 100644 index 327baf0..d8691bd 100644
--- a/remotelogin.fc --- a/remotelogin.fc
@ -84046,10 +84677,10 @@ index c6aaac7..a5600a8 100644
sysnet_dns_name_resolve(svnserve_t) sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc diff --git a/swift.fc b/swift.fc
new file mode 100644 new file mode 100644
index 0000000..e5433ad index 0000000..744f0ce
--- /dev/null --- /dev/null
+++ b/swift.fc +++ b/swift.fc
@@ -0,0 +1,28 @@ @@ -0,0 +1,29 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@ -84069,7 +84700,8 @@ index 0000000..e5433ad
+ +
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) +/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+ +
+/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0) +/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
+/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
+ +
+# This seems to be a de-facto standard when using swift. +# This seems to be a de-facto standard when using swift.
+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) +/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
@ -84209,10 +84841,10 @@ index 0000000..015c2c9
+') +')
diff --git a/swift.te b/swift.te diff --git a/swift.te b/swift.te
new file mode 100644 new file mode 100644
index 0000000..2d5942c index 0000000..c7b2bf6
--- /dev/null --- /dev/null
+++ b/swift.te +++ b/swift.te
@@ -0,0 +1,61 @@ @@ -0,0 +1,69 @@
+policy_module(swift, 1.0.0) +policy_module(swift, 1.0.0)
+ +
+######################################## +########################################
@ -84224,6 +84856,9 @@ index 0000000..2d5942c
+type swift_exec_t; +type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t) +init_daemon_domain(swift_t, swift_exec_t)
+ +
+type swift_var_cache_t;
+files_type(swift_var_cache_t)
+
+type swift_var_run_t; +type swift_var_run_t;
+files_pid_file(swift_var_run_t) +files_pid_file(swift_var_run_t)
+ +
@ -84245,6 +84880,11 @@ index 0000000..2d5942c
+allow swift_t self:unix_stream_socket create_stream_socket_perms; +allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms; +allow swift_t self:unix_dgram_socket create_socket_perms;
+ +
+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+files_var_filetrans(swift_t,swift_var_cache_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t) +manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) +manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) +manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
@ -91080,7 +91720,7 @@ index 9dec06c..bdba959 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms; + allow $1 svirt_image_t:chr_file rw_file_perms;
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index 1f22fba..65dbdd3 100644 index 1f22fba..cbd02ae 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,94 +1,104 @@ @@ -1,94 +1,104 @@
@ -91615,7 +92255,7 @@ index 1f22fba..65dbdd3 100644
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-allow virtd_t self:unix_stream_socket { accept connectto listen }; -allow virtd_t self:unix_stream_socket { accept connectto listen };
-allow virtd_t self:tcp_socket { accept listen }; -allow virtd_t self:tcp_socket { accept listen };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
+allow virtd_t self:tcp_socket create_stream_socket_perms; +allow virtd_t self:tcp_socket create_stream_socket_perms;
allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow virtd_t self:rawip_socket create_socket_perms; allow virtd_t self:rawip_socket create_socket_perms;

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 71%{?dist} Release: 72%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -538,6 +538,17 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Fri Aug 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-72
- Add policy for lsmd
- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
- Update condor_master rules to allow read system state info and allow logging
- Add labeling for /etc/condor and allow condor domain to write it (bug)
- Allow condor domains to manage own logs
- Allow glusterd to read domains state
- Fix initial hypervkvp policy
- Add policy for hypervkvpd
- Fix redis.if summary
* Wed Aug 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-71 * Wed Aug 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-71
- Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow boinc to connect to @/tmp/.X11-unix/X0
- Allow beam.smp to connect to tcp/5984 - Allow beam.smp to connect to tcp/5984