rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow sshd_t to read openshift content, needs backport to RHEL6.5 

- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
- Make sur kdump lock is created with correct label if kdumpctl is executed
- gnome interface calls should always be made within an optional_block
- Allow syslogd_t to connect to the syslog_tls port
- Add labeling for /var/run/charon.ctl socket
- Add kdump_filetrans_named_content()
- Allo setpgid for fenced_t
- Allow setpgid and r/w cluster tmpfs for fenced_t
- gnome calls should always be within optional blocks
- wicd.pid should be labeled as networkmanager_var_run_t
- Allow sys_resource for lldpad
This commit is contained in:
Miroslav Grepl 2013-10-22 12:08:40 +02:00
parent 71bb644a3b
commit 2d3bd44103
3 changed files with 292 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

223
policy-rawhide-base.patch
View File

@ -8756,7 +8756,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..c8fc903 100644
index cf04cb5..40f0157 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -8893,7 +8893,7 @@ index cf04cb5..c8fc903 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -166,5 +231,298 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
@@ -166,5 +231,302 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@ -8910,6 +8910,10 @@ index cf04cb5..c8fc903 100644
+dev_config_null_dev_service(unconfined_domain_type)
+
+optional_policy(`
+ kdump_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
+ locallogin_filetrans_home_content(named_filetrans_domain)
+')
+
@ -20607,7 +20611,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5fc0391..f06e006 100644
index 5fc0391..1386603 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3)
@ -20981,7 +20985,7 @@ index 5fc0391..f06e006 100644
+ openshift_manage_tmp_files(sshd_t)
+ openshift_manage_tmp_sockets(sshd_t)
+ openshift_mounton_tmp(sshd_t)
+ openshift_search_lib(sshd_t)
+ openshift_read_lib_files(sshd_t)
+')
+
+optional_policy(`
@ -27927,7 +27931,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..4d15ea1 100644
index dd3be8d..d9b6a37 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@ -28067,7 +28071,7 @@ index dd3be8d..4d15ea1 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
@@ -125,13 +181,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@ -28079,6 +28083,7 @@ index dd3be8d..4d15ea1 100644
-dev_read_sysfs(init_t)
+dev_rw_sysfs(init_t)
+dev_read_urand(init_t)
+dev_read_raw_memory(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
+dev_filetrans_all_named_dev(init_t)
@ -28086,7 +28091,7 @@ index dd3be8d..4d15ea1 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
@@ -139,14 +200,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@ -28107,7 +28112,7 @@ index dd3be8d..4d15ea1 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
@@ -156,28 +222,51 @@ fs_list_inotifyfs(init_t)
@@ -156,28 +223,51 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@ -28162,7 +28167,7 @@ index dd3be8d..4d15ea1 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
@@ -186,29 +275,204 @@ ifdef(`distro_gentoo',`
@@ -186,29 +276,204 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@ -28375,7 +28380,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -216,7 +480,30 @@ optional_policy(`
@@ -216,7 +481,30 @@ optional_policy(`
')
optional_policy(`
@ -28406,7 +28411,7 @@ index dd3be8d..4d15ea1 100644
')
########################################
@@ -225,8 +512,9 @@ optional_policy(`
@@ -225,8 +513,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -28418,7 +28423,7 @@ index dd3be8d..4d15ea1 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -257,12 +545,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
@@ -257,12 +546,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -28435,7 +28440,7 @@ index dd3be8d..4d15ea1 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -278,23 +570,36 @@ kernel_change_ring_buffer_level(initrc_t)
@@ -278,23 +571,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -28478,7 +28483,7 @@ index dd3be8d..4d15ea1 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
@@ -302,9 +607,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
@@ -302,9 +608,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@ -28490,7 +28495,7 @@ index dd3be8d..4d15ea1 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -312,8 +619,10 @@ dev_write_framebuffer(initrc_t)
@@ -312,8 +620,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@ -28501,7 +28506,7 @@ index dd3be8d..4d15ea1 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -321,8 +630,7 @@ dev_manage_generic_files(initrc_t)
@@ -321,8 +631,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -28511,7 +28516,7 @@ index dd3be8d..4d15ea1 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -331,7 +639,6 @@ domain_sigstop_all_domains(initrc_t)
@@ -331,7 +640,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@ -28519,7 +28524,7 @@ index dd3be8d..4d15ea1 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -339,6 +646,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
@@ -339,6 +647,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@ -28527,7 +28532,7 @@ index dd3be8d..4d15ea1 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -346,14 +654,15 @@ files_getattr_all_symlinks(initrc_t)
@@ -346,14 +655,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -28545,7 +28550,7 @@ index dd3be8d..4d15ea1 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
@@ -363,8 +672,12 @@ files_list_isid_type_dirs(initrc_t)
@@ -363,8 +673,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -28559,7 +28564,7 @@ index dd3be8d..4d15ea1 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -374,10 +687,11 @@ fs_mount_all_fs(initrc_t)
@@ -374,10 +688,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -28573,7 +28578,7 @@ index dd3be8d..4d15ea1 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
@@ -386,6 +700,7 @@ mls_process_read_up(initrc_t)
@@ -386,6 +701,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -28581,7 +28586,7 @@ index dd3be8d..4d15ea1 100644
selinux_get_enforce_mode(initrc_t)
@@ -397,6 +712,7 @@ term_use_all_terms(initrc_t)
@@ -397,6 +713,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@ -28589,7 +28594,7 @@ index dd3be8d..4d15ea1 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
@@ -415,20 +731,18 @@ logging_read_all_logs(initrc_t)
@@ -415,20 +732,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@ -28613,7 +28618,7 @@ index dd3be8d..4d15ea1 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -450,7 +764,6 @@ ifdef(`distro_gentoo',`
@@ -450,7 +765,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@ -28621,7 +28626,7 @@ index dd3be8d..4d15ea1 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
@@ -485,6 +798,10 @@ ifdef(`distro_gentoo',`
@@ -485,6 +799,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@ -28632,7 +28637,7 @@ index dd3be8d..4d15ea1 100644
alsa_read_lib(initrc_t)
')
@@ -505,7 +822,7 @@ ifdef(`distro_redhat',`
@@ -505,7 +823,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -28641,7 +28646,7 @@ index dd3be8d..4d15ea1 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -520,6 +837,7 @@ ifdef(`distro_redhat',`
@@ -520,6 +838,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@ -28649,7 +28654,7 @@ index dd3be8d..4d15ea1 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
@@ -540,6 +858,7 @@ ifdef(`distro_redhat',`
@@ -540,6 +859,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@ -28657,7 +28662,7 @@ index dd3be8d..4d15ea1 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
@@ -549,8 +868,44 @@ ifdef(`distro_redhat',`
@@ -549,8 +869,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -28702,7 +28707,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -558,14 +913,31 @@ ifdef(`distro_redhat',`
@@ -558,14 +914,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -28734,7 +28739,7 @@ index dd3be8d..4d15ea1 100644
')
')
@@ -576,6 +948,39 @@ ifdef(`distro_suse',`
@@ -576,6 +949,39 @@ ifdef(`distro_suse',`
')
')
@ -28774,7 +28779,7 @@ index dd3be8d..4d15ea1 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -588,6 +993,8 @@ optional_policy(`
@@ -588,6 +994,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -28783,7 +28788,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -609,6 +1016,7 @@ optional_policy(`
@@ -609,6 +1017,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -28791,7 +28796,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -625,6 +1033,17 @@ optional_policy(`
@@ -625,6 +1034,17 @@ optional_policy(`
')
optional_policy(`
@ -28809,7 +28814,7 @@ index dd3be8d..4d15ea1 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -641,9 +1060,13 @@ optional_policy(`
@@ -641,9 +1061,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -28823,7 +28828,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -656,15 +1079,11 @@ optional_policy(`
@@ -656,15 +1080,11 @@ optional_policy(`
')
optional_policy(`
@ -28841,7 +28846,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -685,6 +1104,15 @@ optional_policy(`
@@ -685,6 +1105,15 @@ optional_policy(`
')
optional_policy(`
@ -28857,7 +28862,7 @@ index dd3be8d..4d15ea1 100644
inn_exec_config(initrc_t)
')
@@ -725,6 +1153,7 @@ optional_policy(`
@@ -725,6 +1154,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@ -28865,7 +28870,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -742,7 +1171,13 @@ optional_policy(`
@@ -742,7 +1172,13 @@ optional_policy(`
')
optional_policy(`
@ -28880,7 +28885,7 @@ index dd3be8d..4d15ea1 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -765,6 +1200,10 @@ optional_policy(`
@@ -765,6 +1201,10 @@ optional_policy(`
')
optional_policy(`
@ -28891,7 +28896,7 @@ index dd3be8d..4d15ea1 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -774,10 +1213,20 @@ optional_policy(`
@@ -774,10 +1214,20 @@ optional_policy(`
')
optional_policy(`
@ -28912,7 +28917,7 @@ index dd3be8d..4d15ea1 100644
quota_manage_flags(initrc_t)
')
@@ -786,6 +1235,10 @@ optional_policy(`
@@ -786,6 +1236,10 @@ optional_policy(`
')
optional_policy(`
@ -28923,7 +28928,7 @@ index dd3be8d..4d15ea1 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -807,8 +1260,6 @@ optional_policy(`
@@ -807,8 +1261,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -28932,7 +28937,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -817,6 +1268,10 @@ optional_policy(`
@@ -817,6 +1269,10 @@ optional_policy(`
')
optional_policy(`
@ -28943,7 +28948,7 @@ index dd3be8d..4d15ea1 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
@@ -826,10 +1281,12 @@ optional_policy(`
@@ -826,10 +1282,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@ -28956,7 +28961,7 @@ index dd3be8d..4d15ea1 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -856,12 +1313,28 @@ optional_policy(`
@@ -856,12 +1314,28 @@ optional_policy(`
')
optional_policy(`
@ -28986,7 +28991,7 @@ index dd3be8d..4d15ea1 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -871,6 +1344,18 @@ optional_policy(`
@@ -871,6 +1345,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@ -29005,7 +29010,7 @@ index dd3be8d..4d15ea1 100644
')
optional_policy(`
@@ -886,6 +1371,10 @@ optional_policy(`
@@ -886,6 +1372,10 @@ optional_policy(`
')
optional_policy(`
@ -29016,7 +29021,7 @@ index dd3be8d..4d15ea1 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -896,3 +1385,196 @@ optional_policy(`
@@ -896,3 +1386,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -29214,7 +29219,7 @@ index dd3be8d..4d15ea1 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 662e79b..ae5a411 100644
index 662e79b..a199ffd 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,22 @@
@ -29241,7 +29246,7 @@ index 662e79b..ae5a411 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
@@ -26,16 +34,22 @@
@@ -26,16 +34,23 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@ -29259,6 +29264,7 @@ index 662e79b..ae5a411 100644
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
@ -29951,7 +29957,7 @@ index 5dfa44b..cafb28e 100644
optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 73bb3c0..6e848de 100644
index 73bb3c0..5b9420f 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@
@ -30017,7 +30023,12 @@ index 73bb3c0..6e848de 100644
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
@@ -129,6 +138,7 @@ ifdef(`distro_redhat',`
@@ -125,10 +134,12 @@ ifdef(`distro_redhat',`
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/sasl2/libsasldb\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30025,7 +30036,7 @@ index 73bb3c0..6e848de 100644
/usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -141,19 +151,21 @@ ifdef(`distro_redhat',`
@@ -141,19 +152,21 @@ ifdef(`distro_redhat',`
/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30052,7 +30063,7 @@ index 73bb3c0..6e848de 100644
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -182,11 +194,13 @@ ifdef(`distro_redhat',`
@@ -182,11 +195,13 @@ ifdef(`distro_redhat',`
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30066,7 +30077,7 @@ index 73bb3c0..6e848de 100644
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -241,13 +255,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
@@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30082,7 +30093,7 @@ index 73bb3c0..6e848de 100644
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -269,20 +281,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
@@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -30113,7 +30124,7 @@ index 73bb3c0..6e848de 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -299,17 +310,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
@@ -299,17 +311,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@ -31322,7 +31333,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 39ea221..0c383ca 100644
index 39ea221..616d6a8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@ -31583,15 +31594,16 @@ index 39ea221..0c383ca 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
@@ -417,6 +470,7 @@ corenet_tcp_bind_rsh_port(syslogd_t)
@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
+corenet_tcp_bind_syslog_tls_port(syslogd_t)
+corenet_tcp_connect_syslog_tls_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
@@ -427,9 +481,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -31619,7 +31631,7 @@ index 39ea221..0c383ca 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -442,14 +513,19 @@ files_read_kernel_symbol_table(syslogd_t)
@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@ -31639,7 +31651,7 @@ index 39ea221..0c383ca 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
@@ -461,11 +537,11 @@ init_use_fds(syslogd_t)
@@ -461,11 +538,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@ -31654,7 +31666,7 @@ index 39ea221..0c383ca 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
@@ -502,15 +578,40 @@ optional_policy(`
@@ -502,15 +579,40 @@ optional_policy(`
')
optional_policy(`
@ -31695,7 +31707,7 @@ index 39ea221..0c383ca 100644
')
optional_policy(`
@@ -521,3 +622,26 @@ optional_policy(`
@@ -521,3 +623,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@ -35342,7 +35354,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 6944526..1f23aab 100644
index 6944526..b82ccf1 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -35481,7 +35493,48 @@ index 6944526..1f23aab 100644
read_files_pattern($1, net_conf_t, net_conf_t)
')
')
@@ -433,6 +529,7 @@ interface(`sysnet_manage_config',`
@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',`
files_etc_filetrans($1, net_conf_t, file, $2)
')
+########################################
+## <summary>
+## Transition content to the type used for
+## the network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the directory to which the object will be created.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`sysnet_filetrans_config_fromdir',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ filetrans_pattern($1, $2, net_conf_t, $3, $4)
+')
+
#######################################
## <summary>
## Create, read, write, and delete network config files.
@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
@ -35489,7 +35542,7 @@ index 6944526..1f23aab 100644
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
@@ -471,6 +568,7 @@ interface(`sysnet_delete_dhcpc_pid',`
@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@ -35497,7 +35550,7 @@ index 6944526..1f23aab 100644
allow $1 dhcpc_var_run_t:file unlink;
')
@@ -580,6 +678,25 @@ interface(`sysnet_signull_ifconfig',`
@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
## <summary>
@ -35523,7 +35576,7 @@ index 6944526..1f23aab 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
@@ -596,6 +713,7 @@ interface(`sysnet_read_dhcp_config',`
@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@ -35531,7 +35584,7 @@ index 6944526..1f23aab 100644
')
########################################
@@ -681,8 +799,6 @@ interface(`sysnet_dns_name_resolve',`
@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@ -35540,7 +35593,7 @@ index 6944526..1f23aab 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -692,6 +808,8 @@ interface(`sysnet_dns_name_resolve',`
@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@ -35549,7 +35602,7 @@ index 6944526..1f23aab 100644
sysnet_read_config($1)
optional_policy(`
@@ -720,8 +838,6 @@ interface(`sysnet_use_ldap',`
@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@ -35558,7 +35611,7 @@ index 6944526..1f23aab 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
@@ -733,6 +849,9 @@ interface(`sysnet_use_ldap',`
@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@ -35568,7 +35621,7 @@ index 6944526..1f23aab 100644
')
########################################
@@ -754,7 +873,6 @@ interface(`sysnet_use_portmap',`
@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@ -35576,7 +35629,7 @@ index 6944526..1f23aab 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -766,3 +884,74 @@ interface(`sysnet_use_portmap',`
@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@ -36086,10 +36139,10 @@ index 0000000..e9f1096
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..f0fe449
index 0000000..35b4178
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,1394 @@
@@ -0,0 +1,1400 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@ -37148,7 +37201,9 @@ index 0000000..f0fe449
+ type systemd_home_t;
+ ')
+
+ gnome_search_gconf_data_dir($1)
+ optional_policy(`
+ gnome_search_gconf_data_dir($1)
+ ')
+ read_files_pattern($1, systemd_home_t, systemd_home_t)
+ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
+')
@ -37168,7 +37223,9 @@ index 0000000..f0fe449
+ type systemd_home_t;
+ ')
+
+ gnome_search_gconf_data_dir($1)
+ optional_policy(`
+ gnome_search_gconf_data_dir($1)
+ ')
+ manage_dirs_pattern($1, systemd_home_t, systemd_home_t)
+ manage_files_pattern($1, systemd_home_t, systemd_home_t)
+ manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
@ -37191,7 +37248,9 @@ index 0000000..f0fe449
+ type systemd_home_t;
+ ')
+
+ gnome_data_filetrans($1, systemd_home_t, dir, "systemd")
+ optional_policy(`
+ gnome_data_filetrans($1, systemd_home_t, dir, "systemd")
+ ')
+')
+
+########################################

216
policy-rawhide-contrib.patch
View File

@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 1a82e29..19bd545 100644
index 1a82e29..e84c56d 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@ -5395,7 +5395,7 @@ index 1a82e29..19bd545 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -5508,6 +5508,8 @@ index 1a82e29..19bd545 100644
logging_send_syslog_msg(httpd_t)
-miscfiles_read_localization(httpd_t)
+init_dontaudit_read_utmp(httpd_t)
+
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
@ -5626,7 +5628,7 @@ index 1a82e29..19bd545 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@ -5686,7 +5688,7 @@ index 1a82e29..19bd545 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@ -5777,7 +5779,7 @@ index 1a82e29..19bd545 100644
')
tunable_policy(`httpd_setrlimit',`
@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',`
@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -5858,7 +5860,7 @@ index 1a82e29..19bd545 100644
')
optional_policy(`
@@ -743,14 +871,6 @@ optional_policy(`
@@ -743,14 +873,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@ -5873,7 +5875,7 @@ index 1a82e29..19bd545 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
@@ -765,6 +885,23 @@ optional_policy(`
@@ -765,6 +887,23 @@ optional_policy(`
')
optional_policy(`
@ -5897,7 +5899,7 @@ index 1a82e29..19bd545 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -781,34 +918,46 @@ optional_policy(`
@@ -781,34 +920,46 @@ optional_policy(`
')
optional_policy(`
@ -5955,7 +5957,7 @@ index 1a82e29..19bd545 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -816,8 +965,18 @@ optional_policy(`
@@ -816,8 +967,18 @@ optional_policy(`
')
optional_policy(`
@ -5974,7 +5976,7 @@ index 1a82e29..19bd545 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -826,6 +985,7 @@ optional_policy(`
@@ -826,6 +987,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@ -5982,7 +5984,7 @@ index 1a82e29..19bd545 100644
')
optional_policy(`
@@ -836,20 +996,39 @@ optional_policy(`
@@ -836,20 +998,39 @@ optional_policy(`
')
optional_policy(`
@ -6028,7 +6030,7 @@ index 1a82e29..19bd545 100644
')
optional_policy(`
@@ -857,19 +1036,35 @@ optional_policy(`
@@ -857,19 +1038,35 @@ optional_policy(`
')
optional_policy(`
@ -6064,7 +6066,7 @@ index 1a82e29..19bd545 100644
udev_read_db(httpd_t)
')
@@ -877,65 +1072,170 @@ optional_policy(`
@@ -877,65 +1074,172 @@ optional_policy(`
yam_read_content(httpd_t)
')
@ -6077,6 +6079,8 @@ index 1a82e29..19bd545 100644
+optional_policy(`
+ zoneminder_manage_lib_dirs(httpd_t)
+ zoneminder_manage_lib_files(httpd_t)
+ zoneminder_stream_connect(httpd_t)
+ zoneminder_exec(httpd_t)
+')
+
########################################
@ -6257,7 +6261,7 @@ index 1a82e29..19bd545 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t)
@@ -944,123 +1248,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@ -6412,7 +6416,7 @@ index 1a82e29..19bd545 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1077,172 +1328,104 @@ optional_policy(`
@@ -1077,172 +1332,104 @@ optional_policy(`
')
')
@ -6648,7 +6652,7 @@ index 1a82e29..19bd545 100644
')
tunable_policy(`httpd_read_user_content',`
@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',`
@@ -1250,64 +1437,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@ -6745,7 +6749,7 @@ index 1a82e29..19bd545 100644
########################################
#
@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
@@ -1315,8 +1512,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@ -6762,7 +6766,7 @@ index 1a82e29..19bd545 100644
')
########################################
@@ -1324,49 +1524,38 @@ optional_policy(`
@@ -1324,49 +1528,38 @@ optional_policy(`
# User content local policy
#
@ -6827,7 +6831,7 @@ index 1a82e29..19bd545 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t)
@@ -1376,38 +1569,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@ -32133,7 +32137,7 @@ index a49ae4e..0c0e987 100644
+
+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0)
diff --git a/kdump.if b/kdump.if
index 3a00b3a..a60cc05 100644
index 3a00b3a..21efcc4 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@ -32204,7 +32208,7 @@ index 3a00b3a..a60cc05 100644
## </summary>
## <param name="domain">
## <summary>
@@ -56,10 +100,68 @@ interface(`kdump_read_config',`
@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@ -32228,7 +32232,6 @@ index 3a00b3a..a60cc05 100644
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
+
+#####################################
+## <summary>
+## Read kdump crash files.
@ -32275,7 +32278,7 @@ index 3a00b3a..a60cc05 100644
## </summary>
## <param name="domain">
## <summary>
@@ -76,10 +178,51 @@ interface(`kdump_manage_config',`
@@ -76,10 +177,69 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@ -32319,6 +32322,24 @@ index 3a00b3a..a60cc05 100644
+ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
+')
+
+#######################################
+## <summary>
+## Transition content labels to kdump named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_filetrans_named_content',`
+ gen_require(`
+ type kdump_lock_t;
+ ')
+
+ files_lock_filetrans($1, kdump_lock_t, file, "kdump")
+')
+
######################################
## <summary>
@ -32329,7 +32350,7 @@ index 3a00b3a..a60cc05 100644
## </summary>
## <param name="domain">
## <summary>
@@ -88,19 +231,24 @@ interface(`kdump_manage_config',`
@@ -88,19 +248,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
@ -32359,7 +32380,7 @@ index 3a00b3a..a60cc05 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
@@ -110,6 +258,10 @@ interface(`kdump_admin',`
@@ -110,6 +275,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@ -35163,7 +35184,7 @@ index ee0c7cc..c54e3d2 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
index d7d9b09..b93f460 100644
index d7d9b09..562c288 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@ -35176,15 +35197,6 @@ index d7d9b09..b93f460 100644
type slapd_lock_t;
files_lock_file(slapd_lock_t)
@@ -44,7 +47,7 @@ files_pid_file(slapd_var_run_t)
# Local policy
#
-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search sys_resource };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
allow slapd_t self:fifo_file rw_fifo_file_perms;
@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
@ -35614,9 +35626,18 @@ index d18c960..fb5b674 100644
domain_system_change_exemption($1)
role_transition $2 lldpad_initrc_exec_t system_r;
diff --git a/lldpad.te b/lldpad.te
index 648def0..0b6281d 100644
index 648def0..b17392a 100644
--- a/lldpad.te
+++ b/lldpad.te
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
# Local policy
#
-allow lldpad_t self:capability { net_admin net_raw };
+allow lldpad_t self:capability { net_admin net_raw sys_resource };
allow lldpad_t self:shm create_shm_perms;
allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept listen };
@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t)
dev_read_sysfs(lldpad_t)
@ -39749,7 +39770,7 @@ index 6ffaba2..2c1c0e0 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b80..1e67988 100644
index 6194b80..d54c5ba 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -40440,7 +40461,7 @@ index 6194b80..1e67988 100644
## </summary>
## <param name="domain">
## <summary>
@@ -530,45 +499,55 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
@@ -530,45 +499,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@ -40517,7 +40538,9 @@ index 6194b80..1e67988 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+ optional_policy(`
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+ ')
')
+
diff --git a/mozilla.te b/mozilla.te
@ -46208,10 +46231,10 @@ index 56c0fbd..173a2c0 100644
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
index a1fb3c3..82f8ae6 100644
index a1fb3c3..2b818b9 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
@@ -1,43 +1,44 @@
@@ -1,43 +1,45 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@ -46277,10 +46300,11 @@ index a1fb3c3..82f8ae6 100644
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 0e8508c..f8893f8 100644
index 0e8508c..ee2e3de 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@ -46557,7 +46581,7 @@ index 0e8508c..f8893f8 100644
## </summary>
## </param>
## <param name="role">
@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',`
@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',`
## </param>
## <rolecap/>
#
@ -46705,6 +46729,7 @@ index 0e8508c..f8893f8 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
@ -49132,10 +49157,10 @@ index 0000000..22e6c96
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/nsplugin.if b/nsplugin.if
new file mode 100644
index 0000000..fce899a
index 0000000..16f4789
--- /dev/null
+++ b/nsplugin.if
@@ -0,0 +1,472 @@
@@ -0,0 +1,474 @@
+
+## <summary>policy for nsplugin</summary>
+
@ -49236,7 +49261,9 @@ index 0000000..fce899a
+
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
+ optional_policy(`
+ gnome_stream_connect(nsplugin_t, $2)
+ ')
+
+ userdom_use_inherited_user_terminals(nsplugin_t)
+ userdom_use_inherited_user_terminals(nsplugin_config_t)
@ -61239,7 +61266,7 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
index b2b5dba..7b8a7d1 100644
index b2b5dba..9bc465c 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@ -61424,7 +61451,7 @@ index b2b5dba..7b8a7d1 100644
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)
@@ -147,36 +169,30 @@ files_exec_etc_files(pppd_t)
@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
@ -61458,6 +61485,7 @@ index b2b5dba..7b8a7d1 100644
sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
+sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf")
-userdom_use_user_terminals(pppd_t)
+userdom_use_inherited_user_terminals(pppd_t)
@ -61469,7 +61497,7 @@ index b2b5dba..7b8a7d1 100644
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
@@ -186,11 +202,13 @@ optional_policy(`
@@ -186,11 +203,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t)
@ -61484,7 +61512,7 @@ index b2b5dba..7b8a7d1 100644
')
')
@@ -218,16 +236,19 @@ optional_policy(`
@@ -218,16 +237,19 @@ optional_policy(`
########################################
#
@ -61507,7 +61535,7 @@ index b2b5dba..7b8a7d1 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@ -61564,7 +61592,7 @@ index b2b5dba..7b8a7d1 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t)
@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@ -61579,7 +61607,7 @@ index b2b5dba..7b8a7d1 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -299,6 +318,10 @@ optional_policy(`
@@ -299,6 +319,10 @@ optional_policy(`
')
optional_policy(`
@ -71377,7 +71405,7 @@ index 56bc01f..b8d154e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
index 2c2de9a..6b7a0f6 100644
index 2c2de9a..b978814 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@ -71703,7 +71731,7 @@ index 2c2de9a..6b7a0f6 100644
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
@@ -98,6 +366,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
@@ -98,16 +366,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@ -71720,11 +71748,12 @@ index 2c2de9a..6b7a0f6 100644
#######################################
#
# fenced local policy
@@ -105,9 +383,13 @@ init_rw_script_tmp_files(dlm_controld_t)
#
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
+allow fenced_t self:process { getsched setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
@ -71766,16 +71795,17 @@ index 2c2de9a..6b7a0f6 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
@@ -182,7 +461,7 @@ optional_policy(`
@@ -182,7 +461,8 @@ optional_policy(`
')
optional_policy(`
- corosync_exec(fenced_t)
+ rhcs_exec_cluster(fenced_t)
+ rhcs_rw_cluster_tmpfs(fenced_t)
')
optional_policy(`
@@ -190,12 +469,12 @@ optional_policy(`
@@ -190,12 +470,12 @@ optional_policy(`
')
optional_policy(`
@ -71791,7 +71821,7 @@ index 2c2de9a..6b7a0f6 100644
')
optional_policy(`
@@ -203,6 +482,13 @@ optional_policy(`
@@ -203,6 +483,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@ -71805,7 +71835,7 @@ index 2c2de9a..6b7a0f6 100644
#######################################
#
# foghorn local policy
@@ -221,16 +507,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@ -71826,7 +71856,7 @@ index 2c2de9a..6b7a0f6 100644
snmp_stream_connect(foghorn_t)
')
@@ -257,6 +545,8 @@ storage_getattr_removable_dev(gfs_controld_t)
@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@ -71835,7 +71865,7 @@ index 2c2de9a..6b7a0f6 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
@@ -275,10 +565,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@ -71877,7 +71907,7 @@ index 2c2de9a..6b7a0f6 100644
######################################
#
# qdiskd local policy
@@ -321,6 +640,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@ -87123,7 +87153,7 @@ index c7de0cf..03fc880 100644
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/telepathy.if b/telepathy.if
index 42946bc..741f2f4 100644
index 42946bc..9f70e4c 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -2,45 +2,39 @@
@ -87396,7 +87426,7 @@ index 42946bc..741f2f4 100644
## </summary>
## <param name="domain">
## <summary>
@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',`
@@ -209,11 +197,140 @@ interface(`telepathy_msn_stream_connect',`
## </summary>
## </param>
#
@ -87510,13 +87540,15 @@ index 42946bc..741f2f4 100644
+ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
+ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
+
+ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
+ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
+ optional_policy(`
+ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
+ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
+
+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+ ')
+')
+
+######################################
@ -88761,10 +88793,10 @@ index 0000000..5e3637e
+')
diff --git a/thin.te b/thin.te
new file mode 100644
index 0000000..ff282dc
index 0000000..39d17b7
--- /dev/null
+++ b/thin.te
@@ -0,0 +1,114 @@
@@ -0,0 +1,115 @@
+policy_module(thin, 1.0)
+
+########################################
@ -88841,6 +88873,7 @@ index 0000000..ff282dc
+#
+
+allow thin_t self:capability { setuid kill setgid dac_override };
+allow thin_t self:capability2 block_suspend;
+
+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
+allow thin_t self:udp_socket create_socket_perms;
@ -88905,10 +88938,10 @@ index 0000000..92b6843
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
index 0000000..8b2dfff
index 0000000..c1fd8b4
--- /dev/null
+++ b/thumb.if
@@ -0,0 +1,130 @@
@@ -0,0 +1,133 @@
+
+## <summary>policy for thumb</summary>
+
@ -89015,7 +89048,7 @@ index 0000000..8b2dfff
+
+ allow $1 thumb_t:dbus send_msg;
+ allow thumb_t $1:dbus send_msg;
+ ps_process_pattern(thumb_t, $1)
+ ps_process_pattern(thumb_t, $1)
+')
+
+########################################
@ -89037,7 +89070,10 @@ index 0000000..8b2dfff
+
+ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
+ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
+ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
+
+ optional_policy(`
+ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
+ ')
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
@ -99337,10 +99373,10 @@ index 0000000..8c61505
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
index 0000000..614a979
index 0000000..d02a6f4
--- /dev/null
+++ b/zoneminder.if
@@ -0,0 +1,354 @@
@@ -0,0 +1,374 @@
+## <summary>policy for zoneminder</summary>
+
+########################################
@ -99362,6 +99398,26 @@ index 0000000..614a979
+ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute zoneminder
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zoneminder_exec',`
+ gen_require(`
+ type zoneminder_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, zoneminder_exec_t)
+')
+
+
+########################################
+## <summary>

16
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 91%{?dist}
Release: 92%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -572,6 +572,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Oct 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-92
- Allow sshd_t to read openshift content, needs backport to RHEL6.5
- Label /usr/lib64/sasl2/libsasldb.so.3.0.0 as textrel_shlib_t
- Make sur kdump lock is created with correct label if kdumpctl is executed
- gnome interface calls should always be made within an optional_block
- Allow syslogd_t to connect to the syslog_tls port
- Add labeling for /var/run/charon.ctl socket
- Add kdump_filetrans_named_content()
- Allo setpgid for fenced_t
- Allow setpgid and r/w cluster tmpfs for fenced_t
- gnome calls should always be within optional blocks
- wicd.pid should be labeled as networkmanager_var_run_t
- Allow sys_resource for lldpad
* Thu Oct 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-91
- Add rtas policy