* Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301

- Merge pull request #37 from milosmalik/rawhide
- Allow mozilla_plugin_t domain to dbus chat with devicekit
- Dontaudit leaked logwatch pipes
- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
- Allow chronyd daemon to execute chronyc. BZ(1507478)
- Allow pdns to read network system state BZ(1507244)
- Allow gssproxy to read network system state Resolves: rhbz#1507191
- Allow nfsd_t domain to read configfs_t files/dirs
- Allow tgtd_t domain to read generic certs
- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
- Allow dirsrv_snmp_t to use inherited user ptys and read system state
- Allow glusterd_t domain to create own tmpfs dirs/files
- Allow keepalived stream connect to snmp
This commit is contained in:
Lukas Vrabec 2017-11-03 13:17:33 +01:00
parent ba9b7318d9
commit 4c1c744cdd
4 changed files with 184 additions and 102 deletions

Binary file not shown.

View File

@ -50199,10 +50199,10 @@ index 000000000..5871e072d
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 000000000..5033e0eb6
index 000000000..bb880db4a
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1039 @@
@@ -0,0 +1,1040 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -50272,6 +50272,7 @@ index 000000000..5033e0eb6
+
+type systemd_resolved_var_run_t;
+files_pid_file(systemd_resolved_var_run_t)
+files_mountpoint(systemd_resolved_var_run_t)
+
+type systemd_resolved_unit_file_t;
+systemd_unit_file(systemd_resolved_unit_file_t)
@ -58380,7 +58381,7 @@ index e79d54501..101086d66 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e9131723..dc1c884fe 100644
index 6e9131723..528c5d2d1 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@ -58389,7 +58390,7 @@ index 6e9131723..dc1c884fe 100644
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
-
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket dccp_socket }')
#
# Datagram socket classes.

View File

@ -5626,7 +5626,7 @@ index f6eb4851f..3628a384f 100644
+ allow $1 httpd_t:process { noatsecure };
')
diff --git a/apache.te b/apache.te
index 6649962b6..cb95398ea 100644
index 6649962b6..3db9df9f9 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6345,7 +6345,7 @@ index 6649962b6..cb95398ea 100644
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -450,140 +571,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -450,140 +571,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -6412,6 +6412,7 @@ index 6649962b6..cb95398ea 100644
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_rw_hugetlbfs_files(httpd_t)
+fs_exec_hugetlbfs_files(httpd_t)
+fs_list_inotifyfs(httpd_t)
+
+auth_use_nsswitch(httpd_t)
@ -6588,7 +6589,7 @@ index 6649962b6..cb95398ea 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
@@ -594,28 +754,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@ -6648,7 +6649,7 @@ index 6649962b6..cb95398ea 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +806,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@ -6751,7 +6752,7 @@ index 6649962b6..cb95398ea 100644
')
tunable_policy(`httpd_setrlimit',`
@@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
@@ -695,49 +865,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6832,7 +6833,7 @@ index 6649962b6..cb95398ea 100644
')
optional_policy(`
@@ -749,24 +917,32 @@ optional_policy(`
@@ -749,24 +918,32 @@ optional_policy(`
')
optional_policy(`
@ -6871,7 +6872,7 @@ index 6649962b6..cb95398ea 100644
')
optional_policy(`
@@ -775,6 +951,10 @@ optional_policy(`
@@ -775,6 +952,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@ -6882,7 +6883,7 @@ index 6649962b6..cb95398ea 100644
')
optional_policy(`
@@ -786,35 +966,62 @@ optional_policy(`
@@ -786,35 +967,62 @@ optional_policy(`
')
optional_policy(`
@ -6958,7 +6959,7 @@ index 6649962b6..cb95398ea 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -822,8 +1029,31 @@ optional_policy(`
@@ -822,8 +1030,31 @@ optional_policy(`
')
optional_policy(`
@ -6990,7 +6991,7 @@ index 6649962b6..cb95398ea 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -832,6 +1062,8 @@ optional_policy(`
@@ -832,6 +1063,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@ -6999,7 +7000,7 @@ index 6649962b6..cb95398ea 100644
')
optional_policy(`
@@ -842,20 +1074,48 @@ optional_policy(`
@@ -842,20 +1075,48 @@ optional_policy(`
')
optional_policy(`
@ -7054,7 +7055,7 @@ index 6649962b6..cb95398ea 100644
')
optional_policy(`
@@ -863,16 +1123,31 @@ optional_policy(`
@@ -863,16 +1124,31 @@ optional_policy(`
')
optional_policy(`
@ -7088,7 +7089,7 @@ index 6649962b6..cb95398ea 100644
')
optional_policy(`
@@ -883,65 +1158,189 @@ optional_policy(`
@@ -883,65 +1159,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@ -7300,7 +7301,7 @@ index 6649962b6..cb95398ea 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -950,123 +1349,75 @@ auth_use_nsswitch(httpd_suexec_t)
@@ -950,123 +1350,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@ -7454,7 +7455,7 @@ index 6649962b6..cb95398ea 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1434,107 @@ optional_policy(`
@@ -1083,172 +1435,107 @@ optional_policy(`
')
')
@ -7692,7 +7693,7 @@ index 6649962b6..cb95398ea 100644
')
tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1542,74 @@ tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1543,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@ -7790,7 +7791,7 @@ index 6649962b6..cb95398ea 100644
########################################
#
@@ -1321,8 +1617,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
@@ -1321,8 +1618,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@ -7807,7 +7808,7 @@ index 6649962b6..cb95398ea 100644
')
########################################
@@ -1330,49 +1633,43 @@ optional_policy(`
@@ -1330,49 +1634,43 @@ optional_policy(`
# User content local policy
#
@ -7876,7 +7877,7 @@ index 6649962b6..cb95398ea 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1679,109 @@ dev_read_urand(httpd_passwd_t)
@@ -1382,38 +1680,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@ -13908,7 +13909,7 @@ index 32e8265c2..508f3b84f 100644
+ roleattribute $2 chronyc_roles;
')
diff --git a/chronyd.te b/chronyd.te
index e5b621c29..89ecee1f7 100644
index e5b621c29..47b5fe7e4 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0)
@ -13967,17 +13968,19 @@ index e5b621c29..89ecee1f7 100644
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
@@ -61,6 +82,9 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
@@ -61,6 +82,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
+kernel_request_load_module(chronyd_t)
+
+can_exec(chronyd_t,chronyc_exec_t)
+
+clock_read_adjtime(chronyd_t)
corenet_all_recvfrom_unlabeled(chronyd_t)
corenet_all_recvfrom_netlabel(chronyd_t)
@@ -76,18 +100,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
@@ -76,18 +102,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)
@ -22724,7 +22727,7 @@ index 83bfda6ed..92d9fb2e7 100644
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
index 4283f2de2..fe348758e 100644
index 4283f2de2..c29c47501 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
@ -22736,9 +22739,11 @@ index 4283f2de2..fe348758e 100644
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t)
@@ -62,13 +62,14 @@ files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
+kernel_read_network_state(cyrus_t)
-corenet_all_recvfrom_unlabeled(cyrus_t)
corenet_all_recvfrom_netlabel(cyrus_t)
@ -22750,7 +22755,7 @@ index 4283f2de2..fe348758e 100644
corenet_sendrecv_mail_server_packets(cyrus_t)
corenet_tcp_bind_mail_port(cyrus_t)
@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
@@ -76,6 +77,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@ -22760,7 +22765,7 @@ index 4283f2de2..fe348758e 100644
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_tcp_bind_pop_port(cyrus_t)
@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t)
@@ -95,8 +99,6 @@ domain_use_interactive_fds(cyrus_t)
files_list_var_lib(cyrus_t)
files_read_etc_runtime_files(cyrus_t)
@ -22769,7 +22774,7 @@ index 4283f2de2..fe348758e 100644
fs_getattr_all_fs(cyrus_t)
fs_search_auto_mountpoints(cyrus_t)
@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t)
@@ -107,7 +109,6 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
@ -22777,7 +22782,7 @@ index 4283f2de2..fe348758e 100644
miscfiles_read_generic_certs(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
@@ -121,6 +121,14 @@ optional_policy(`
@@ -121,6 +122,14 @@ optional_policy(`
')
optional_policy(`
@ -22792,7 +22797,7 @@ index 4283f2de2..fe348758e 100644
kerberos_read_keytab(cyrus_t)
kerberos_use(cyrus_t)
')
@@ -134,8 +142,8 @@ optional_policy(`
@@ -134,8 +143,8 @@ optional_policy(`
')
optional_policy(`
@ -26230,10 +26235,10 @@ index 000000000..b3784d85d
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 000000000..f068532e7
index 000000000..58a8bf4fd
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,207 @@
@@ -0,0 +1,210 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@ -26418,6 +26423,8 @@ index 000000000..f068532e7
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
+
+kernel_read_system_state(dirsrv_snmp_t)
+
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
+
+dev_read_rand(dirsrv_snmp_t)
@ -26430,10 +26437,11 @@ index 000000000..f068532e7
+fs_getattr_tmpfs(dirsrv_snmp_t)
+fs_search_tmpfs(dirsrv_snmp_t)
+
+
+sysnet_read_config(dirsrv_snmp_t)
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+userdom_use_inherited_user_ptys(dirsrv_snmp_t)
+
+optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
@ -32102,10 +32110,10 @@ index 000000000..d9ba5fa27
+')
diff --git a/ganesha.te b/ganesha.te
new file mode 100644
index 000000000..3cf186efc
index 000000000..0fdeecfd6
--- /dev/null
+++ b/ganesha.te
@@ -0,0 +1,109 @@
@@ -0,0 +1,110 @@
+policy_module(ganesha, 1.0.0)
+
+########################################
@ -32182,6 +32190,7 @@ index 000000000..3cf186efc
+
+dev_rw_infiniband_dev(ganesha_t)
+dev_read_gpfs(ganesha_t)
+dev_read_rand(ganesha_t)
+
+logging_send_syslog_msg(ganesha_t)
+
@ -33861,10 +33870,10 @@ index 000000000..450146018
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
index 000000000..5d279ca35
index 000000000..7eeb7b0c0
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,324 @@
@@ -0,0 +1,331 @@
+policy_module(glusterd, 1.1.3)
+
+## <desc>
@ -33916,6 +33925,9 @@ index 000000000..5d279ca35
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_tmpfs_t;
+files_tmpfs_file(glusterd_tmpfs_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
@ -33954,6 +33966,10 @@ index 000000000..5d279ca35
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+manage_files_pattern(glusterd_t, glusterd_tmpfs_t, glusterd_tmpfs_t)
+fs_tmpfs_filetrans(glusterd_t, glusterd_tmpfs_t, { dir file })
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
@ -38150,10 +38166,10 @@ index 000000000..8a2013af9
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 000000000..86a4d31a1
index 000000000..800eb43a1
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,74 @@
@@ -0,0 +1,75 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
@ -38196,6 +38212,7 @@ index 000000000..86a4d31a1
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+kernel_read_network_state(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
@ -43845,10 +43862,10 @@ index 000000000..bd7e7fa17
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
index 000000000..f84877209
index 000000000..d7cf7c7c3
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,101 @@
@@ -0,0 +1,102 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@ -43926,6 +43943,7 @@ index 000000000..f84877209
+ snmp_manage_var_lib_files(keepalived_t)
+ snmp_manage_var_lib_sock_files(keepalived_t)
+ snmp_manage_var_lib_dirs(keepalived_t)
+ snmp_stream_connect(keepalived_t)
+')
+
+########################################
@ -47497,10 +47515,10 @@ index 000000000..7ba50607c
+
diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644
index 000000000..7acdb2d40
index 000000000..37414ae0d
--- /dev/null
+++ b/linuxptp.te
@@ -0,0 +1,180 @@
@@ -0,0 +1,184 @@
+policy_module(linuxptp, 1.0.0)
+
+
@ -47670,10 +47688,14 @@ index 000000000..7acdb2d40
+corenet_udp_bind_generic_node(ptp4l_t)
+corenet_udp_bind_reserved_port(ptp4l_t)
+
+kernel_read_network_state(ptp4l_t)
+
+dev_rw_realtime_clock(ptp4l_t)
+
+logging_send_syslog_msg(ptp4l_t)
+
+userdom_dgram_send(ptp4l_t)
+
+optional_policy(`
+ chronyd_rw_shm(ptp4l_t)
+')
@ -48443,6 +48465,32 @@ index be0ab84b3..af94fb163 100644
+role system_r types logrotate_mail_t;
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.if b/logwatch.if
index 06c3d36ca..2bb771f02 100644
--- a/logwatch.if
+++ b/logwatch.if
@@ -37,3 +37,21 @@ interface(`logwatch_search_cache_dir',`
files_search_var($1)
allow $1 logwatch_cache_t:dir search_dir_perms;
')
+
+#######################################
+## <summary>
+## Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`logwatch_dontaudit_leaks',`
+ gen_require(`
+ type logwatch_t;
+ ')
+
+ dontaudit $1 logwatch_t:fifo_file { read write };
+')
diff --git a/logwatch.te b/logwatch.te
index ab650340c..433d37810 100644
--- a/logwatch.te
@ -54207,7 +54255,7 @@ index 6194b806b..e27c53d6e 100644
')
+
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4fc..28c1c5f16 100644
index 11ac8e4fc..bb6533dae 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@ -54488,11 +54536,11 @@ index 11ac8e4fc..28c1c5f16 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
+userdom_use_inherited_user_ptys(mozilla_t)
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@ -54626,34 +54674,34 @@ index 11ac8e4fc..28c1c5f16 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
+')
+
+optional_policy(`
+ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
+ java_domtrans(mozilla_t)
+ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
+ lpd_domtrans_lpr(mozilla_t)
+ mplayer_domtrans(mozilla_t)
+ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
+ mplayer_domtrans(mozilla_t)
+ mplayer_read_user_home_files(mozilla_t)
+ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
+ nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@ -54661,7 +54709,7 @@ index 11ac8e4fc..28c1c5f16 100644
')
optional_policy(`
@@ -300,259 +340,261 @@ optional_policy(`
@@ -300,259 +340,265 @@ optional_policy(`
########################################
#
@ -55026,13 +55074,6 @@ index 11ac8e4fc..28c1c5f16 100644
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
@ -55040,6 +55081,17 @@ index 11ac8e4fc..28c1c5f16 100644
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
+ devicekit_dbus_chat_disk(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
@ -55069,7 +55121,7 @@ index 11ac8e4fc..28c1c5f16 100644
')
optional_policy(`
@@ -560,7 +602,11 @@ optional_policy(`
@@ -560,7 +606,11 @@ optional_policy(`
')
optional_policy(`
@ -55082,7 +55134,7 @@ index 11ac8e4fc..28c1c5f16 100644
')
optional_policy(`
@@ -568,108 +614,144 @@ optional_policy(`
@@ -568,108 +618,144 @@ optional_policy(`
')
optional_policy(`
@ -71802,10 +71854,10 @@ index 000000000..02df03ad6
+')
diff --git a/pdns.te b/pdns.te
new file mode 100644
index 000000000..63ddc577c
index 000000000..4df7ada2a
--- /dev/null
+++ b/pdns.te
@@ -0,0 +1,83 @@
@@ -0,0 +1,85 @@
+policy_module(pdns, 1.0.2)
+
+########################################
@ -71849,6 +71901,8 @@ index 000000000..63ddc577c
+allow pdns_t self:unix_dgram_socket create_socket_perms;
+pdns_read_config(pdns_t)
+
+kernel_read_network_state(pdns_t)
+
+corenet_tcp_bind_dns_port(pdns_t)
+corenet_udp_bind_dns_port(pdns_t)
+
@ -72037,7 +72091,7 @@ index d2fc677c1..86dce34a2 100644
')
+
diff --git a/pegasus.te b/pegasus.te
index 608f454d8..8f0f5fd9c 100644
index 608f454d8..64782ff03 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -72056,7 +72110,7 @@ index 608f454d8..8f0f5fd9c 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
@@ -30,20 +29,335 @@ files_type(pegasus_mof_t)
@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@ -72189,6 +72243,8 @@ index 608f454d8..8f0f5fd9c 100644
+
+kernel_read_network_state(pegasus_openlmi_services_t)
+
+miscfiles_read_certs(pegasus_openlmi_services_t)
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_services_t)
+')
@ -72398,7 +72454,7 @@ index 608f454d8..8f0f5fd9c 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,25 +368,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
@@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -72433,7 +72489,7 @@ index 608f454d8..8f0f5fd9c 100644
kernel_read_fs_sysctls(pegasus_t)
kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
@@ -80,27 +395,21 @@ kernel_read_net_sysctls(pegasus_t)
@@ -80,27 +397,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@ -72466,7 +72522,7 @@ index 608f454d8..8f0f5fd9c 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
@@ -114,9 +423,11 @@ files_getattr_all_dirs(pegasus_t)
@@ -114,9 +425,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@ -72478,7 +72534,7 @@ index 608f454d8..8f0f5fd9c 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
@@ -128,18 +439,29 @@ init_stream_connect_script(pegasus_t)
@@ -128,18 +441,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@ -72500,21 +72556,21 @@ index 608f454d8..8f0f5fd9c 100644
+optional_policy(`
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(pegasus_t)
+ ')
+')
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
+optional_policy(`
+ networkmanager_dbus_chat(pegasus_t)
+ ')
+')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
@@ -151,16 +473,24 @@ optional_policy(`
@@ -151,16 +475,24 @@ optional_policy(`
')
optional_policy(`
@ -72543,7 +72599,7 @@ index 608f454d8..8f0f5fd9c 100644
')
optional_policy(`
@@ -168,7 +498,7 @@ optional_policy(`
@@ -168,7 +500,7 @@ optional_policy(`
')
optional_policy(`
@ -72552,7 +72608,7 @@ index 608f454d8..8f0f5fd9c 100644
')
optional_policy(`
@@ -180,12 +510,17 @@ optional_policy(`
@@ -180,12 +512,17 @@ optional_policy(`
')
optional_policy(`
@ -77332,7 +77388,7 @@ index ded95ec3a..210018ce4 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
index 5cfb83eca..67f813d34 100644
index 5cfb83eca..5de033f81 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@ -78040,7 +78096,7 @@ index 5cfb83eca..67f813d34 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -655,69 +595,80 @@ optional_policy(`
@@ -655,69 +595,84 @@ optional_policy(`
########################################
#
@ -78104,6 +78160,10 @@ index 5cfb83eca..67f813d34 100644
term_use_all_ptys(postfix_showq_t)
term_use_all_ttys(postfix_showq_t)
+optional_policy(`
+ logwatch_dontaudit_leaks(postfix_showq_t)
+')
+
########################################
#
-# Smtp delivery local policy
@ -78138,7 +78198,7 @@ index 5cfb83eca..67f813d34 100644
')
optional_policy(`
@@ -730,28 +681,32 @@ optional_policy(`
@@ -730,28 +685,32 @@ optional_policy(`
########################################
#
@ -78179,7 +78239,7 @@ index 5cfb83eca..67f813d34 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
@@ -764,6 +719,7 @@ optional_policy(`
@@ -764,6 +723,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@ -78187,7 +78247,7 @@ index 5cfb83eca..67f813d34 100644
')
optional_policy(`
@@ -774,31 +730,102 @@ optional_policy(`
@@ -774,31 +734,102 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@ -93683,7 +93743,7 @@ index 0bf13c220..79a2a9c48 100644
+ allow $1 gssd_t:process { noatsecure rlimitinh };
+')
diff --git a/rpc.te b/rpc.te
index 2da9fca2f..9099c9800 100644
index 2da9fca2f..c8afd1e50 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@ -93888,7 +93948,7 @@ index 2da9fca2f..9099c9800 100644
')
########################################
@@ -201,42 +231,64 @@ optional_policy(`
@@ -201,42 +231,66 @@ optional_policy(`
# NFSD local policy
#
@ -93935,6 +93995,8 @@ index 2da9fca2f..9099c9800 100644
files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
+fs_read_configfs_files(nfsd_t)
+fs_read_configfs_dirs(nfsd_t)
+fs_mounton_nfsd_fs(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
@ -93964,7 +94026,7 @@ index 2da9fca2f..9099c9800 100644
miscfiles_manage_public_files(nfsd_t)
')
@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',`
@@ -245,7 +299,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@ -93972,7 +94034,7 @@ index 2da9fca2f..9099c9800 100644
')
tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +310,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@ -93987,7 +94049,7 @@ index 2da9fca2f..9099c9800 100644
')
########################################
@@ -270,7 +321,7 @@ optional_policy(`
@@ -270,7 +323,7 @@ optional_policy(`
# GSSD local policy
#
@ -93996,7 +94058,7 @@ index 2da9fca2f..9099c9800 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
@@ -280,6 +333,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@ -94004,7 +94066,7 @@ index 2da9fca2f..9099c9800 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
@@ -288,25 +340,31 @@ kernel_signal(gssd_t)
@@ -288,25 +342,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@ -94039,7 +94101,7 @@ index 2da9fca2f..9099c9800 100644
')
optional_policy(`
@@ -314,9 +372,12 @@ optional_policy(`
@@ -314,9 +374,12 @@ optional_policy(`
')
optional_policy(`
@ -111403,7 +111465,7 @@ index 5406b6ee8..dc5b46e28 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
index d01096386..ae473b2b2 100644
index d01096386..c491b2f9c 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
@ -111435,7 +111497,7 @@ index d01096386..ae473b2b2 100644
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_client_packets(tgtd_t)
@@ -72,16 +73,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
@@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t)
dev_read_sysfs(tgtd_t)
@ -111444,6 +111506,8 @@ index d01096386..ae473b2b2 100644
fs_read_anon_inodefs_files(tgtd_t)
+miscfiles_read_generic_certs(tgtd_t)
+
storage_manage_fixed_disk(tgtd_t)
+storage_read_scsi_generic(tgtd_t)
+storage_write_scsi_generic(tgtd_t)
@ -120205,11 +120269,12 @@ index 6b72968ea..de409cc61 100644
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/vmtools.fc b/vmtools.fc
new file mode 100644
index 000000000..c5deffb77
index 000000000..13ee573e4
--- /dev/null
+++ b/vmtools.fc
@@ -0,0 +1,5 @@
@@ -0,0 +1,6 @@
+/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0)
+/usr/bin/VGAuthService -- gen_context(system_u:object_r:vmtools_exec_t,s0)
+
+/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
+

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 300%{?dist}
Release: 301%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -717,6 +717,22 @@ exit 0
%endif
%changelog
* Fri Nov 03 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-301
- Merge pull request #37 from milosmalik/rawhide
- Allow mozilla_plugin_t domain to dbus chat with devicekit
- Dontaudit leaked logwatch pipes
- Label /usr/bin/VGAuthService as vmtools_exec_t to confine this daemon.
- Allow httpd_t domain to execute hugetlbfs_t files BZ(1444546)
- Allow chronyd daemon to execute chronyc. BZ(1507478)
- Allow pdns to read network system state BZ(1507244)
- Allow gssproxy to read network system state Resolves: rhbz#1507191
- Allow nfsd_t domain to read configfs_t files/dirs
- Allow tgtd_t domain to read generic certs
- Allow ptp4l to send msgs via dgram socket to unprivileged user domains
- Allow dirsrv_snmp_t to use inherited user ptys and read system state
- Allow glusterd_t domain to create own tmpfs dirs/files
- Allow keepalived stream connect to snmp
* Thu Oct 26 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-300
- Allow zabbix_t domain to change its resource limits
- Add new boolean nagios_use_nfs