- Add more aliases in pegasus.te

- Add more fixes for *_admin interfaces
- Add interface fixes
- Allow nscd to stream connect to nmbd
- Allow gnupg apps to write to pcscd socket
- Add more fixes for openlmi provides. Fix naming and support for a
- Allow fetchmail to resolve host names
- Allow firewalld to interact also with lnk files labeled as firewa
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working i
- Fix corecmd_exec_chroot()
- Fix logging_relabel_syslog_pid_socket interface
- Fix typo in unconfineduser.te
- Allow system_r to access unconfined_dbusd_t to run hp_chec
This commit is contained in:
Miroslav Grepl 2013-07-31 14:15:19 +02:00
parent 6655c4c00e
commit 5ed54459f6
3 changed files with 228 additions and 128 deletions

View File

@ -3381,7 +3381,7 @@ index 644d4d7..51181b8 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..979f47f 100644 index 9e9263a..43cdcb9 100644
--- a/policy/modules/kernel/corecommands.if --- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if
@@ -8,6 +8,22 @@ @@ -8,6 +8,22 @@
@ -3508,7 +3508,15 @@ index 9e9263a..979f47f 100644
mmap_files_pattern($1, bin_t, bin_t) mmap_files_pattern($1, bin_t, bin_t)
') ')
@@ -954,6 +999,24 @@ interface(`corecmd_exec_chroot',` @@ -945,6 +990,7 @@ interface(`corecmd_shell_domtrans',`
interface(`corecmd_exec_chroot',`
gen_require(`
type chroot_exec_t;
+ type bin_t;
')
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -954,6 +1000,24 @@ interface(`corecmd_exec_chroot',`
######################################## ########################################
## <summary> ## <summary>
@ -3533,7 +3541,7 @@ index 9e9263a..979f47f 100644
## Get the attributes of all executable files. ## Get the attributes of all executable files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1012,6 +1075,10 @@ interface(`corecmd_exec_all_executables',` @@ -1012,6 +1076,10 @@ interface(`corecmd_exec_all_executables',`
can_exec($1, exec_type) can_exec($1, exec_type)
list_dirs_pattern($1, bin_t, bin_t) list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, exec_type) read_lnk_files_pattern($1, bin_t, exec_type)
@ -3544,7 +3552,7 @@ index 9e9263a..979f47f 100644
') ')
######################################## ########################################
@@ -1049,6 +1116,7 @@ interface(`corecmd_manage_all_executables',` @@ -1049,6 +1117,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t; type bin_t;
') ')
@ -3552,7 +3560,7 @@ index 9e9263a..979f47f 100644
manage_files_pattern($1, bin_t, exec_type) manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t) manage_lnk_files_pattern($1, bin_t, bin_t)
') ')
@@ -1091,3 +1159,36 @@ interface(`corecmd_mmap_all_executables',` @@ -1091,3 +1160,36 @@ interface(`corecmd_mmap_all_executables',`
mmap_files_pattern($1, bin_t, exec_type) mmap_files_pattern($1, bin_t, exec_type)
') ')
@ -18381,10 +18389,10 @@ index 0000000..cf6582f
+ +
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644 new file mode 100644
index 0000000..3c3b9b3 index 0000000..d74943c
--- /dev/null --- /dev/null
+++ b/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,331 @@ @@ -0,0 +1,332 @@
+policy_module(unconfineduser, 1.0.0) +policy_module(unconfineduser, 1.0.0)
+ +
+######################################## +########################################
@ -18574,6 +18582,7 @@ index 0000000..3c3b9b3
+ +
+optional_policy(` +optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t) + dbus_role_template(unconfined, unconfined_r, unconfined_t)
+ role system_r types unconfined_dbusd_t;
+ +
+ optional_policy(` + optional_policy(`
+ unconfined_domain(unconfined_dbusd_t) + unconfined_domain(unconfined_dbusd_t)
@ -22530,7 +22539,7 @@ index 6bf0ecc..d740738 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms; + dontaudit $1 xserver_log_t:dir search_dir_perms;
+') +')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2696452..63fd06a 100644 index 2696452..0426df3 100644
--- a/policy/modules/services/xserver.te --- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(` @@ -26,28 +26,59 @@ gen_require(`
@ -22876,7 +22885,7 @@ index 2696452..63fd06a 100644
ssh_sigchld(xauth_t) ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t) ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t)
@@ -299,64 +408,108 @@ optional_policy(` @@ -299,64 +408,109 @@ optional_policy(`
# XDM Local policy # XDM Local policy
# #
@ -22903,10 +22912,11 @@ index 2696452..63fd06a 100644
allow xdm_t self:socket create_socket_perms; allow xdm_t self:socket create_socket_perms;
allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write }; allow xdm_t self:key { search link write };
+allow xdm_t self:dbus { send_msg acquire_svc };
+
+allow xdm_t xauth_home_t:file manage_file_perms;
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; -allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xauth_home_t:file manage_file_perms;
+
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@ -22995,7 +23005,7 @@ index 2696452..63fd06a 100644
# connect to xdm xserver over stream socket # connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -365,20 +518,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -365,20 +519,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@ -23025,7 +23035,7 @@ index 2696452..63fd06a 100644
corenet_all_recvfrom_netlabel(xdm_t) corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t)
@@ -388,38 +548,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) @@ -388,38 +549,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t) corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t)
@ -23078,7 +23088,7 @@ index 2696452..63fd06a 100644
files_read_etc_files(xdm_t) files_read_etc_files(xdm_t)
files_read_var_files(xdm_t) files_read_var_files(xdm_t)
@@ -430,9 +600,28 @@ files_list_mnt(xdm_t) @@ -430,9 +601,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t) files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm # Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t) files_create_boot_flag(xdm_t)
@ -23107,7 +23117,7 @@ index 2696452..63fd06a 100644
storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t)
@@ -441,28 +630,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) @@ -441,28 +631,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t)
@ -23156,7 +23166,7 @@ index 2696452..63fd06a 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t) userdom_create_all_users_keys(xdm_t)
@@ -471,24 +677,144 @@ userdom_read_user_home_content_files(xdm_t) @@ -471,24 +678,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes. # Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t) userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t) userdom_signal_all_users(xdm_t)
@ -23307,7 +23317,7 @@ index 2696452..63fd06a 100644
tunable_policy(`xdm_sysadm_login',` tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t) userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME: # FIXME:
@@ -502,11 +828,26 @@ tunable_policy(`xdm_sysadm_login',` @@ -502,11 +829,26 @@ tunable_policy(`xdm_sysadm_login',`
') ')
optional_policy(` optional_policy(`
@ -23334,7 +23344,7 @@ index 2696452..63fd06a 100644
') ')
optional_policy(` optional_policy(`
@@ -514,12 +855,56 @@ optional_policy(` @@ -514,12 +856,56 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23391,7 +23401,7 @@ index 2696452..63fd06a 100644
hostname_exec(xdm_t) hostname_exec(xdm_t)
') ')
@@ -537,28 +922,78 @@ optional_policy(` @@ -537,28 +923,78 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23479,7 +23489,7 @@ index 2696452..63fd06a 100644
') ')
optional_policy(` optional_policy(`
@@ -570,6 +1005,14 @@ optional_policy(` @@ -570,6 +1006,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23494,7 +23504,7 @@ index 2696452..63fd06a 100644
xfs_stream_connect(xdm_t) xfs_stream_connect(xdm_t)
') ')
@@ -594,8 +1037,11 @@ allow xserver_t input_xevent_t:x_event send; @@ -594,8 +1038,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed. # execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack # NVIDIA Needs execstack
@ -23507,7 +23517,7 @@ index 2696452..63fd06a 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use; allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:fifo_file rw_fifo_file_perms;
@@ -608,8 +1054,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -608,8 +1055,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms; allow xserver_t self:udp_socket create_socket_perms;
@ -23523,7 +23533,7 @@ index 2696452..63fd06a 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -617,6 +1070,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) @@ -617,6 +1071,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -23534,7 +23544,7 @@ index 2696452..63fd06a 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -628,12 +1085,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) @@ -628,12 +1086,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t) files_search_var_lib(xserver_t)
@ -23556,7 +23566,7 @@ index 2696452..63fd06a 100644
kernel_read_system_state(xserver_t) kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t) kernel_read_device_sysctls(xserver_t)
@@ -641,12 +1105,12 @@ kernel_read_modprobe_sysctls(xserver_t) @@ -641,12 +1106,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted # Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t) kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t) kernel_write_proc_files(xserver_t)
@ -23570,7 +23580,7 @@ index 2696452..63fd06a 100644
corenet_all_recvfrom_netlabel(xserver_t) corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t)
@@ -667,23 +1131,28 @@ dev_rw_apm_bios(xserver_t) @@ -667,23 +1132,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t) dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t) dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t) dev_manage_dri_dev(xserver_t)
@ -23602,7 +23612,7 @@ index 2696452..63fd06a 100644
# brought on by rhgb # brought on by rhgb
files_search_mnt(xserver_t) files_search_mnt(xserver_t)
@@ -694,7 +1163,16 @@ fs_getattr_xattr_fs(xserver_t) @@ -694,7 +1164,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t) fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t) fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t) fs_search_ramfs(xserver_t)
@ -23620,7 +23630,7 @@ index 2696452..63fd06a 100644
mls_xwin_read_to_clearance(xserver_t) mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t) selinux_validate_context(xserver_t)
@@ -708,20 +1186,18 @@ init_getpgid(xserver_t) @@ -708,20 +1187,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t) term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t)
@ -23644,7 +23654,7 @@ index 2696452..63fd06a 100644
userdom_search_user_home_dirs(xserver_t) userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t) userdom_use_user_ttys(xserver_t)
@@ -729,8 +1205,6 @@ userdom_setattr_user_ttys(xserver_t) @@ -729,8 +1206,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t) userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t)
@ -23653,7 +23663,7 @@ index 2696452..63fd06a 100644
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack }; allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t) domain_mmap_low_uncond(xserver_t)
@@ -775,16 +1249,44 @@ optional_policy(` @@ -775,16 +1250,44 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23699,7 +23709,7 @@ index 2696452..63fd06a 100644
unconfined_domtrans(xserver_t) unconfined_domtrans(xserver_t)
') ')
@@ -793,6 +1295,10 @@ optional_policy(` @@ -793,6 +1296,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23710,7 +23720,7 @@ index 2696452..63fd06a 100644
xfs_stream_connect(xserver_t) xfs_stream_connect(xserver_t)
') ')
@@ -808,10 +1314,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; @@ -808,10 +1315,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!! # handle of a file inside the dir!!!
@ -23724,7 +23734,7 @@ index 2696452..63fd06a 100644
# Label pid and temporary files with derived types. # Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -819,7 +1325,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) @@ -819,7 +1326,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp. # Run xkbcomp.
@ -23733,7 +23743,7 @@ index 2696452..63fd06a 100644
can_exec(xserver_t, xkb_var_lib_t) can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server # VNC v4 module in X server
@@ -832,26 +1338,21 @@ init_use_fds(xserver_t) @@ -832,26 +1339,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail # to read ROLE_home_t - examine this in more detail
# (xauth?) # (xauth?)
userdom_read_user_home_content_files(xserver_t) userdom_read_user_home_content_files(xserver_t)
@ -23768,7 +23778,7 @@ index 2696452..63fd06a 100644
') ')
optional_policy(` optional_policy(`
@@ -902,7 +1403,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy @@ -902,7 +1404,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows # operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -23777,7 +23787,7 @@ index 2696452..63fd06a 100644
# operations allowed on all windows # operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -956,11 +1457,31 @@ allow x_domain self:x_resource { read write }; @@ -956,11 +1458,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver # can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr }; allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -23809,7 +23819,7 @@ index 2696452..63fd06a 100644
tunable_policy(`! xserver_object_manager',` tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain), # should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals # but typeattribute doesnt work in conditionals
@@ -982,18 +1503,150 @@ tunable_policy(`! xserver_object_manager',` @@ -982,18 +1504,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *; allow x_domain xevent_type:{ x_event x_synthetic_event } *;
') ')
@ -30235,7 +30245,7 @@ index b50c5fe..2faaaf2 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ +
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4e94884..55d2481 100644 index 4e94884..9b82ed0 100644
--- a/policy/modules/system/logging.if --- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -30397,7 +30407,7 @@ index 4e94884..55d2481 100644
+# +#
+interface(`logging_relabel_syslog_pid_socket',` +interface(`logging_relabel_syslog_pid_socket',`
+ gen_require(` + gen_require(`
+ type devlog_t; + type syslogd_var_run_t;
+ ') + ')
+ +
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;

View File

@ -9774,10 +9774,15 @@ index 4ec0626..88e7e89 100644
userdom_dontaudit_use_unpriv_user_fds(canna_t) userdom_dontaudit_use_unpriv_user_fds(canna_t)
diff --git a/ccs.if b/ccs.if diff --git a/ccs.if b/ccs.if
index 5ded72d..c1b4d35 100644 index 5ded72d..cb94e5e 100644
--- a/ccs.if --- a/ccs.if
+++ b/ccs.if +++ b/ccs.if
@@ -102,16 +102,20 @@ interface(`ccs_admin',` @@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t_t, ccs_var_log_t;
+ type ccs_var_lib_t, ccs_var_log_t;
type ccs_var_run_t, ccs_tmp_t; type ccs_var_run_t, ccs_tmp_t;
') ')
@ -12633,7 +12638,7 @@ index 23dc348..7cc536b 100644
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
diff --git a/condor.if b/condor.if diff --git a/condor.if b/condor.if
index 3fe3cb8..b8e08c6 100644 index 3fe3cb8..5fe84a6 100644
--- a/condor.if --- a/condor.if
+++ b/condor.if +++ b/condor.if
@@ -1,81 +1,397 @@ @@ -1,81 +1,397 @@
@ -13046,7 +13051,7 @@ index 3fe3cb8..b8e08c6 100644
+interface(`condor_admin',` +interface(`condor_admin',`
+ gen_require(` + gen_require(`
+ attribute condor_domain; + attribute condor_domain;
+ type condor_initrc_exec_config_t, condor_log_t; + type condor_initrc_exec_t, condor_log_t;
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; + type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+ type condor_var_run_t, condor_startd_tmp_t; + type condor_var_run_t, condor_startd_tmp_t;
+ type condor_unit_file_t; + type condor_unit_file_t;
@ -20898,7 +20903,7 @@ index 23ab808..4a801b5 100644
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b8..531cf03 100644 index 19aa0b8..1e8b244 100644
--- a/dnsmasq.if --- a/dnsmasq.if
+++ b/dnsmasq.if +++ b/dnsmasq.if
@@ -10,7 +10,6 @@ @@ -10,7 +10,6 @@
@ -21107,11 +21112,12 @@ index 19aa0b8..531cf03 100644
') ')
######################################## ########################################
@@ -267,12 +354,17 @@ interface(`dnsmasq_spec_filetrans_pid',` @@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',` interface(`dnsmasq_admin',`
gen_require(` gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; - type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
+ type dnsmasq_var_log_t;
+ type dnsmasq_initrc_exec_t; + type dnsmasq_initrc_exec_t;
+ type dnsmasq_unit_file_t; + type dnsmasq_unit_file_t;
') ')
@ -21127,7 +21133,7 @@ index 19aa0b8..531cf03 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r; role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +373,13 @@ interface(`dnsmasq_admin',` @@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1) files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t) admin_pattern($1, dnsmasq_lease_t)
@ -23594,7 +23600,7 @@ index 5cf6ac6..0fc685b 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms; + allow $1 firewalld_unit_file_t:service all_service_perms;
') ')
diff --git a/firewalld.te b/firewalld.te diff --git a/firewalld.te b/firewalld.te
index c8014f8..64e18e1 100644 index c8014f8..2888d51 100644
--- a/firewalld.te --- a/firewalld.te
+++ b/firewalld.te +++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@ -23619,7 +23625,15 @@ index c8014f8..64e18e1 100644
dontaudit firewalld_t self:capability sys_tty_config; dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen }; allow firewalld_t self:unix_stream_socket { accept listen };
@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; @@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
allow firewalld_t firewalld_var_log_t:file setattr_file_perms; allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
@ -23641,7 +23655,7 @@ index c8014f8..64e18e1 100644
corecmd_exec_bin(firewalld_t) corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t) corecmd_exec_shell(firewalld_t)
@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t) @@ -53,20 +73,17 @@ dev_read_urand(firewalld_t)
domain_use_interactive_fds(firewalld_t) domain_use_interactive_fds(firewalld_t)
@ -23667,7 +23681,7 @@ index c8014f8..64e18e1 100644
optional_policy(` optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t) dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -85,6 +101,10 @@ optional_policy(` @@ -85,6 +102,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -28851,10 +28865,10 @@ index 0000000..f4659d1
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) +/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644 new file mode 100644
index 0000000..28263c7 index 0000000..4bd5abf
--- /dev/null --- /dev/null
+++ b/gssproxy.if +++ b/gssproxy.if
@@ -0,0 +1,204 @@ @@ -0,0 +1,203 @@
+ +
+## <summary>policy for gssproxy</summary> +## <summary>policy for gssproxy</summary>
+ +
@ -28989,7 +29003,6 @@ index 0000000..28263c7
+ ') + ')
+ +
+ systemd_exec_systemctl($1) + systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 gssproxy_unit_file_t:file read_file_perms; + allow $1 gssproxy_unit_file_t:file read_file_perms;
+ allow $1 gssproxy_unit_file_t:service manage_service_perms; + allow $1 gssproxy_unit_file_t:service manage_service_perms;
+ +
@ -29927,6 +29940,21 @@ index ecad9c7..86d790f 100644
optional_policy(` optional_policy(`
seutil_use_newrole_fds(irc_t) seutil_use_newrole_fds(irc_t)
') ')
diff --git a/ircd.if b/ircd.if
index ade9803..3620c9a 100644
--- a/ircd.if
+++ b/ircd.if
@@ -33,8 +33,8 @@ interface(`ircd_admin',`
files_search_etc($1)
admin_pattern($1, ircd_etc_t)
-
- logging_search_log($1)
+
+ logging_search_logs($1)
admin_pattern($1, ircd_log_t)
files_search_var_lib($1)
diff --git a/ircd.te b/ircd.te diff --git a/ircd.te b/ircd.te
index e9f746e..40e440c 100644 index e9f746e..40e440c 100644
--- a/ircd.te --- a/ircd.te
@ -37838,7 +37866,7 @@ index a83894c..481dca3 100644
+ +
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0) +/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
diff --git a/modemmanager.if b/modemmanager.if diff --git a/modemmanager.if b/modemmanager.if
index b1ac8b5..90ca430 100644 index b1ac8b5..d65017f 100644
--- a/modemmanager.if --- a/modemmanager.if
+++ b/modemmanager.if +++ b/modemmanager.if
@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',` @@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
@ -37860,7 +37888,7 @@ index b1ac8b5..90ca430 100644
+ ') + ')
+ +
+ systemd_exec_systemctl($1) + systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1) + systemd_read_fifo_file_passwd_run($1)
+ allow $1 modemmanager_unit_file_t:file read_file_perms; + allow $1 modemmanager_unit_file_t:file read_file_perms;
+ allow $1 modemmanager_unit_file_t:service manage_service_perms; + allow $1 modemmanager_unit_file_t:service manage_service_perms;
+ +
@ -38038,6 +38066,19 @@ index d287fe9..3dc493c 100644
init_dbus_chat_script(mono_t) init_dbus_chat_script(mono_t)
diff --git a/monop.if b/monop.if
index 8fdaece..5440757 100644
--- a/monop.if
+++ b/monop.if
@@ -31,7 +31,7 @@ interface(`monop_admin',`
role_transition $2 monopd_initrc_exec_t system_r;
allow $2 system_r;
- logging_search_etc($1)
+ logging_search_logs($1)
admin_pattern($1, monopd_etc_t)
files_search_pids($1)
diff --git a/monop.te b/monop.te diff --git a/monop.te b/monop.te
index 4462c0e..84944d1 100644 index 4462c0e..84944d1 100644
--- a/monop.te --- a/monop.te
@ -46701,7 +46742,7 @@ index 8f2ab09..7b8f5ad 100644
+ allow $1 nscd_unit_file_t:service all_service_perms; + allow $1 nscd_unit_file_t:service all_service_perms;
') ')
diff --git a/nscd.te b/nscd.te diff --git a/nscd.te b/nscd.te
index df4c10f..2814186 100644 index df4c10f..8c09c68 100644
--- a/nscd.te --- a/nscd.te
+++ b/nscd.te +++ b/nscd.te
@@ -1,36 +1,37 @@ @@ -1,36 +1,37 @@
@ -46851,7 +46892,7 @@ index df4c10f..2814186 100644
userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t)
@@ -121,20 +130,30 @@ optional_policy(` @@ -121,20 +130,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -46881,6 +46922,7 @@ index df4c10f..2814186 100644
- udev_read_db(nscd_t) - udev_read_db(nscd_t)
+ samba_read_config(nscd_t) + samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t) + samba_read_var_files(nscd_t)
+ samba_stream_connect_nmbd(nscd_t)
') ')
optional_policy(` optional_policy(`
@ -52601,10 +52643,10 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t) + virt_rw_svirt_dev(pcscd_t)
+') +')
diff --git a/pegasus.fc b/pegasus.fc diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..0aead56 100644 index dfd46e4..2e04b85 100644
--- a/pegasus.fc --- a/pegasus.fc
+++ b/pegasus.fc +++ b/pegasus.fc
@@ -1,15 +1,21 @@ @@ -1,15 +1,24 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+ +
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@ -52613,27 +52655,30 @@ index dfd46e4..0aead56 100644
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) +/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) +/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+#openlmi agents +#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_networking_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_service_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644 index d2fc677..ded726f 100644
--- a/pegasus.if --- a/pegasus.if
@ -52735,7 +52780,7 @@ index d2fc677..ded726f 100644
') ')
+ +
diff --git a/pegasus.te b/pegasus.te diff --git a/pegasus.te b/pegasus.te
index 7bcf327..b6885d4 100644 index 7bcf327..f36e1ae 100644
--- a/pegasus.te --- a/pegasus.te
+++ b/pegasus.te +++ b/pegasus.te
@@ -1,17 +1,16 @@ @@ -1,17 +1,16 @@
@ -52759,21 +52804,24 @@ index 7bcf327..b6885d4 100644
type pegasus_cache_t; type pegasus_cache_t;
files_type(pegasus_cache_t) files_type(pegasus_cache_t)
@@ -30,20 +29,199 @@ files_type(pegasus_mof_t) @@ -30,20 +29,213 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t; type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t) files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers +# pegasus openlmi providers
+pegasus_openlmi_domain_template(admin)
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
+
+pegasus_openlmi_domain_template(account) +pegasus_openlmi_domain_template(account)
+pegasus_openlmi_domain_template(logicalfile) +pegasus_openlmi_domain_template(logicalfile)
+pegasus_openlmi_domain_template(networking) +pegasus_openlmi_domain_template(services)
+pegasus_openlmi_domain_template(service)
+ +
+pegasus_openlmi_domain_template(storage) +pegasus_openlmi_domain_template(storage)
+type pegasus_openlmi_storage_tmp_t; +type pegasus_openlmi_storage_tmp_t;
+files_tmp_file(pegasus_openlmi_storage_tmp_t) +files_tmp_file(pegasus_openlmi_storage_tmp_t)
+ +
+pegasus_openlmi_domain_template(system) +pegasus_openlmi_domain_template(system)
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
+pegasus_openlmi_domain_template(unconfined) +pegasus_openlmi_domain_template(unconfined)
+ +
+####################################### +#######################################
@ -52862,26 +52910,38 @@ index 7bcf327..b6885d4 100644
+ # so we want to have unconfined_domain attribute for filename rules + # so we want to have unconfined_domain attribute for filename rules
+ unconfined_domain(pegasus_openlmi_logicalfile_t) + unconfined_domain(pegasus_openlmi_logicalfile_t)
+') +')
+######################################
+#
+# pegasus openlmi networking local policy
+#
+
+optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_services_t)
+')
+
+optional_policy(`
+ realmd_dbus_chat(pegasus_openlmi_services_t)
+')
+ +
+###################################### +######################################
+# +#
+# pegasus openlmi networking local policy +# pegasus openlmi networking local policy
+# +#
+ +
+allow pegasus_openlmi_networking_t self:capability { net_admin }; +allow pegasus_openlmi_system_t self:capability { net_admin };
+ +
+allow pegasus_openlmi_networking_t self:netlink_route_socket r_netlink_socket_perms;; +allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;;
+allow pegasus_openlmi_networking_t self:udp_socket create_socket_perms; +allow pegasus_openlmi_system_t self:udp_socket create_socket_perms;
+ +
+dev_rw_sysfs(pegasus_openlmi_networking_t) +dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_networking_t) +dev_read_urand(pegasus_openlmi_system_t)
+ +
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_networking_t) + dbus_system_bus_client(pegasus_openlmi_system_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(pegasus_openlmi_networking_t)
+') +')
+
+optional_policy(`
+ networkmanager_dbus_chat(pegasus_openlmi_system_t)
+') +')
+ +
+###################################### +######################################
@ -52889,20 +52949,19 @@ index 7bcf327..b6885d4 100644
+# pegasus openlmi service local policy +# pegasus openlmi service local policy
+# +#
+ +
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_admin_t)
+init_exec(pegasus_openlmi_admin_t)
+ +
+init_disable_services(pegasus_openlmi_service_t) +systemd_config_all_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_service_t) +systemd_manage_all_unit_files(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_service_t) +systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
+init_exec(pegasus_openlmi_service_t)
+
+systemd_config_all_services(pegasus_openlmi_service_t)
+systemd_manage_all_unit_files(pegasus_openlmi_service_t)
+systemd_manage_all_unit_lnk_files(pegasus_openlmi_service_t)
+ +
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; +allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
+ +
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(pegasus_openlmi_service_t) + dbus_system_bus_client(pegasus_openlmi_admin_t)
+') +')
+ +
+###################################### +######################################
@ -52964,7 +53023,7 @@ index 7bcf327..b6885d4 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +232,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) @@ -54,22 +246,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -52995,7 +53054,7 @@ index 7bcf327..b6885d4 100644
kernel_read_network_state(pegasus_t) kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t) kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +258,21 @@ kernel_read_net_sysctls(pegasus_t) @@ -80,27 +272,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t) kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t)
@ -53028,7 +53087,7 @@ index 7bcf327..b6885d4 100644
corecmd_exec_bin(pegasus_t) corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t) corecmd_exec_shell(pegasus_t)
@@ -114,6 +286,7 @@ files_getattr_all_dirs(pegasus_t) @@ -114,6 +300,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t) auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t) auth_domtrans_chk_passwd(pegasus_t)
@ -53036,7 +53095,7 @@ index 7bcf327..b6885d4 100644
domain_use_interactive_fds(pegasus_t) domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t) domain_read_all_domains_state(pegasus_t)
@@ -128,18 +301,25 @@ init_stream_connect_script(pegasus_t) @@ -128,18 +315,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t) logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t) logging_send_syslog_msg(pegasus_t)
@ -53068,7 +53127,7 @@ index 7bcf327..b6885d4 100644
') ')
optional_policy(` optional_policy(`
@@ -151,16 +331,24 @@ optional_policy(` @@ -151,16 +345,24 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -53097,7 +53156,7 @@ index 7bcf327..b6885d4 100644
') ')
optional_policy(` optional_policy(`
@@ -168,7 +356,7 @@ optional_policy(` @@ -168,7 +370,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -53120,7 +53179,7 @@ index 0000000..7b54c39
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) +/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if diff --git a/pesign.if b/pesign.if
new file mode 100644 new file mode 100644
index 0000000..c20674c index 0000000..26b1f0c
--- /dev/null --- /dev/null
+++ b/pesign.if +++ b/pesign.if
@@ -0,0 +1,103 @@ @@ -0,0 +1,103 @@
@ -53181,7 +53240,7 @@ index 0000000..c20674c
+ ') + ')
+ +
+ systemd_exec_systemctl($1) + systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1) + systemd_read_fifo_file_passwd_run($1)
+ allow $1 pesign_unit_file_t:file read_file_perms; + allow $1 pesign_unit_file_t:file read_file_perms;
+ allow $1 pesign_unit_file_t:service manage_service_perms; + allow $1 pesign_unit_file_t:service manage_service_perms;
+ +
@ -56706,7 +56765,7 @@ index c0e8785..c0e0959 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/postfix.if b/postfix.if diff --git a/postfix.if b/postfix.if
index 2e23946..589bbf2 100644 index 2e23946..e9ac366 100644
--- a/postfix.if --- a/postfix.if
+++ b/postfix.if +++ b/postfix.if
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -57145,7 +57204,7 @@ index 2e23946..589bbf2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -478,30 +479,84 @@ interface(`postfix_domtrans_postqueue',` @@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',`
type postfix_postqueue_t, postfix_postqueue_exec_t; type postfix_postqueue_t, postfix_postqueue_exec_t;
') ')
@ -57198,6 +57257,7 @@ index 2e23946..589bbf2 100644
+interface(`postfix_domtrans_postgqueue',` +interface(`postfix_domtrans_postgqueue',`
+ gen_require(` + gen_require(`
+ type postfix_postgqueue_t; + type postfix_postgqueue_t;
+ type postfix_postgqueue_exec_t;
+ ') + ')
+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t) + domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
+') +')
@ -57240,7 +57300,7 @@ index 2e23946..589bbf2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',` @@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',`
type postfix_postqueue_exec_t; type postfix_postqueue_exec_t;
') ')
@ -57255,7 +57315,7 @@ index 2e23946..589bbf2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',` @@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',`
type postfix_private_t; type postfix_private_t;
') ')
@ -57271,7 +57331,7 @@ index 2e23946..589bbf2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',` @@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',`
type postfix_private_t; type postfix_private_t;
') ')
@ -57288,7 +57348,7 @@ index 2e23946..589bbf2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',` @@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',`
type postfix_smtp_t, postfix_smtp_exec_t; type postfix_smtp_t, postfix_smtp_exec_t;
') ')
@ -57304,7 +57364,7 @@ index 2e23946..589bbf2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',` @@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -57313,7 +57373,7 @@ index 2e23946..589bbf2 100644
gen_require(` gen_require(`
attribute postfix_spool_type; attribute postfix_spool_type;
') ')
@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',` @@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',`
# #
interface(`postfix_search_spool',` interface(`postfix_search_spool',`
gen_require(` gen_require(`
@ -57327,7 +57387,7 @@ index 2e23946..589bbf2 100644
') ')
######################################## ########################################
@@ -626,11 +679,11 @@ interface(`postfix_search_spool',` @@ -626,11 +680,11 @@ interface(`postfix_search_spool',`
# #
interface(`postfix_list_spool',` interface(`postfix_list_spool',`
gen_require(` gen_require(`
@ -57341,7 +57401,7 @@ index 2e23946..589bbf2 100644
') ')
######################################## ########################################
@@ -645,17 +698,16 @@ interface(`postfix_list_spool',` @@ -645,17 +699,16 @@ interface(`postfix_list_spool',`
# #
interface(`postfix_read_spool_files',` interface(`postfix_read_spool_files',`
gen_require(` gen_require(`
@ -57362,7 +57422,7 @@ index 2e23946..589bbf2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -665,11 +717,31 @@ interface(`postfix_read_spool_files',` @@ -665,11 +718,31 @@ interface(`postfix_read_spool_files',`
# #
interface(`postfix_manage_spool_files',` interface(`postfix_manage_spool_files',`
gen_require(` gen_require(`
@ -57396,7 +57456,7 @@ index 2e23946..589bbf2 100644
') ')
######################################## ########################################
@@ -693,8 +765,8 @@ interface(`postfix_domtrans_user_mail_handler',` @@ -693,8 +766,8 @@ interface(`postfix_domtrans_user_mail_handler',`
######################################## ########################################
## <summary> ## <summary>
@ -57407,7 +57467,7 @@ index 2e23946..589bbf2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -710,37 +782,137 @@ interface(`postfix_domtrans_user_mail_handler',` @@ -710,37 +783,137 @@ interface(`postfix_domtrans_user_mail_handler',`
# #
interface(`postfix_admin',` interface(`postfix_admin',`
gen_require(` gen_require(`
@ -64824,10 +64884,10 @@ index 70ab68b..e97da31 100644
/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
diff --git a/quantum.if b/quantum.if diff --git a/quantum.if b/quantum.if
index afc0068..5fb7731 100644 index afc0068..7b3cfad 100644
--- a/quantum.if --- a/quantum.if
+++ b/quantum.if +++ b/quantum.if
@@ -2,41 +2,292 @@ @@ -2,41 +2,293 @@
######################################## ########################################
## <summary> ## <summary>
@ -65056,6 +65116,7 @@ index afc0068..5fb7731 100644
+# +#
+interface(`quantum_stream_connect',` +interface(`quantum_stream_connect',`
+ gen_require(` + gen_require(`
+ type quantum_t;
+ type quantum_var_lib_t; + type quantum_var_lib_t;
+ ') + ')
+ +
@ -80163,7 +80224,7 @@ index 0000000..92c3638
+ +
+sysnet_dns_name_resolve(smsd_t) +sysnet_dns_name_resolve(smsd_t)
diff --git a/smstools.if b/smstools.if diff --git a/smstools.if b/smstools.if
index cbfe369..085ac13 100644 index cbfe369..6594af3 100644
--- a/smstools.if --- a/smstools.if
+++ b/smstools.if +++ b/smstools.if
@@ -1,5 +1,81 @@ @@ -1,5 +1,81 @@
@ -80248,6 +80309,15 @@ index cbfe369..085ac13 100644
######################################## ########################################
## <summary> ## <summary>
## All of the rules required to ## All of the rules required to
@@ -32,7 +108,7 @@ interface(`smstools_admin',`
role_transition $2 smsd_initrc_exec_t system_r;
allow $2 system_r;
- files_search_config($1)
+ files_search_etc($1)
admin_pattern($1, smsd_conf_t)
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc diff --git a/snapper.fc b/snapper.fc
new file mode 100644 new file mode 100644
index 0000000..3f412d5 index 0000000..3f412d5
@ -95127,7 +95197,7 @@ index 36e32df..3d08962 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
') ')
diff --git a/zarafa.te b/zarafa.te diff --git a/zarafa.te b/zarafa.te
index a4479b1..1d12d58 100644 index a4479b1..7a9f1b6 100644
--- a/zarafa.te --- a/zarafa.te
+++ b/zarafa.te +++ b/zarafa.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -95250,7 +95320,7 @@ index a4479b1..1d12d58 100644
manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
@@ -109,70 +117,78 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } @@ -109,70 +117,80 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
@ -95307,9 +95377,10 @@ index a4479b1..1d12d58 100644
-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) -corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
+ +
+auth_use_nsswitch(zarafa_spooler_t) +auth_use_nsswitch(zarafa_spooler_t)
+
+######################################## ########################################
+# #
-# Zarafa domain local policy
+# zarafa_gateway local policy +# zarafa_gateway local policy
+# +#
+corenet_tcp_bind_pop_port(zarafa_gateway_t) +corenet_tcp_bind_pop_port(zarafa_gateway_t)
@ -95317,8 +95388,8 @@ index a4479b1..1d12d58 100644
+####################################### +#######################################
+# +#
+# zarafa-ical local policy +# zarafa-ical local policy
+# #
+
+corenet_tcp_bind_http_cache_port(zarafa_ical_t) +corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+ +
+###################################### +######################################
@ -95326,13 +95397,12 @@ index a4479b1..1d12d58 100644
+# zarafa-monitor local policy +# zarafa-monitor local policy
+# +#
+ +
+
######################################## +########################################
# +#
-# Zarafa domain local policy
+# zarafa domains local policy +# zarafa domains local policy
# +#
+
+# bad permission on /etc/zarafa +# bad permission on /etc/zarafa
allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
-allow zarafa_domain self:process { setrlimit signal }; -allow zarafa_domain self:process { setrlimit signal };
@ -95351,10 +95421,11 @@ index a4479b1..1d12d58 100644
- -
dev_read_rand(zarafa_domain) dev_read_rand(zarafa_domain)
dev_read_urand(zarafa_domain) dev_read_urand(zarafa_domain)
-
-logging_send_syslog_msg(zarafa_domain) -logging_send_syslog_msg(zarafa_domain)
- -
-miscfiles_read_localization(zarafa_domain) -miscfiles_read_localization(zarafa_domain)
+dev_read_sysfs(zarafa_domain)
diff --git a/zebra.fc b/zebra.fc diff --git a/zebra.fc b/zebra.fc
index 28ee4ca..e1b30b2 100644 index 28ee4ca..e1b30b2 100644
--- a/zebra.fc --- a/zebra.fc

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 68%{?dist} Release: 69%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -538,6 +538,25 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Wed Jul 31 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-69
- Add more aliases in pegasus.te
- Add more fixes for *_admin interfaces
- Add interface fixes
- Allow nscd to stream connect to nmbd
- Allow gnupg apps to write to pcscd socket
- Add more fixes for openlmi provides. Fix naming and support for additionals
- Allow fetchmail to resolve host names
- Allow firewalld to interact also with lnk files labeled as firewalld_etc_rw_t
- Add labeling for cmpiLMI_Fan-cimprovagt
- Allow net_admin for glusterd
- Allow telepathy domain to create dconf with correct labeling in /home/userX/.cache/
- Add pegasus_openlmi_system_t
- Fix puppet_domtrans_master() to make all puppet calling working in passenger.te
- Fix corecmd_exec_chroot()
- Fix logging_relabel_syslog_pid_socket interface
- Fix typo in unconfineduser.te
- Allow system_r to access unconfined_dbusd_t to run hp_chec
* Tue Jul 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-68 * Tue Jul 30 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-68
- Allow xdm_t to act as a dbus client to itsel - Allow xdm_t to act as a dbus client to itsel
- Allow fetchmail to resolve host names - Allow fetchmail to resolve host names