From 5deba1c4da35371def79b7c14891c81509641cb5 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Thu, 20 Oct 2011 17:51:34 +0200 Subject: [PATCH 1/2] Add cloudform to modules-targetd.conf --- modules-targeted.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules-targeted.conf b/modules-targeted.conf index 390ee4d0..e26feb7a 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2452,4 +2452,9 @@ cfengine = module # polipo = module - +# Layer: services +# Module: cloudform +# +# cloudform daemons +# +cloudform = module From 1944b1a36ec1671c2639c5f0b09175b98452b2a7 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Thu, 20 Oct 2011 18:00:51 +0200 Subject: [PATCH 2/2] Remove tzdata policy --- policy-F16.patch | 828 ++++++++++++++++++++++++++++++++++++-------- selinux-policy.spec | 8 +- 2 files changed, 693 insertions(+), 143 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index af52c93b..01d3a375 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -511,7 +511,7 @@ index 7a6f06f..e117271 100644 /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index 63eb96b..98307a8 100644 +index 63eb96b..d7a6063 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` @@ -539,6 +539,15 @@ index 63eb96b..98307a8 100644 ######################################## ## ## Execute bootloader interactively and do +@@ -106,7 +124,7 @@ interface(`bootloader_rw_tmp_files',` + ') + + files_search_tmp($1) +- allow $1 bootloader_tmp_t:file rw_file_perms; ++ allow $1 bootloader_tmp_t:file rw_inherited_file_perms; + ') + + ######################################## @@ -128,3 +146,22 @@ interface(`bootloader_create_runtime_file',` allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) @@ -563,7 +572,7 @@ index 63eb96b..98307a8 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index d3da8f2..9e5a1d0 100644 +index d3da8f2..a10844b 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -23,7 +23,7 @@ role system_r types bootloader_t; @@ -600,7 +609,14 @@ index d3da8f2..9e5a1d0 100644 term_dontaudit_manage_pty_dirs(bootloader_t) corecmd_exec_all_executables(bootloader_t) -@@ -101,6 +103,7 @@ files_read_usr_src_files(bootloader_t) +@@ -95,12 +97,14 @@ domain_use_interactive_fds(bootloader_t) + files_create_boot_dirs(bootloader_t) + files_manage_boot_files(bootloader_t) + files_manage_boot_symlinks(bootloader_t) ++files_manage_kernel_modules(bootloader_t) + files_read_etc_files(bootloader_t) + files_exec_etc_files(bootloader_t) + files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t) files_read_kernel_modules(bootloader_t) @@ -608,7 +624,7 @@ index d3da8f2..9e5a1d0 100644 # for nscd files_dontaudit_search_pids(bootloader_t) # for blkid.tab -@@ -108,6 +111,7 @@ files_manage_etc_runtime_files(bootloader_t) +@@ -108,6 +112,7 @@ files_manage_etc_runtime_files(bootloader_t) files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) @@ -616,11 +632,11 @@ index d3da8f2..9e5a1d0 100644 init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) -@@ -115,19 +119,21 @@ init_rw_script_pipes(bootloader_t) +@@ -115,19 +120,21 @@ init_rw_script_pipes(bootloader_t) libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) -+libs_use_ld_so(bootloader_t) ++libs_exec_ld_so(bootloader_t) + +auth_use_nsswitch(bootloader_t) @@ -641,7 +657,7 @@ index d3da8f2..9e5a1d0 100644 userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -162,8 +168,10 @@ ifdef(`distro_redhat',` +@@ -162,8 +169,10 @@ ifdef(`distro_redhat',` files_manage_isid_type_blk_files(bootloader_t) files_manage_isid_type_chr_files(bootloader_t) @@ -654,7 +670,7 @@ index d3da8f2..9e5a1d0 100644 optional_policy(` unconfined_domain(bootloader_t) -@@ -171,6 +179,10 @@ ifdef(`distro_redhat',` +@@ -171,6 +180,10 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -665,7 +681,7 @@ index d3da8f2..9e5a1d0 100644 fstools_exec(bootloader_t) ') -@@ -180,6 +192,10 @@ optional_policy(` +@@ -180,6 +193,10 @@ optional_policy(` ') optional_policy(` @@ -676,7 +692,7 @@ index d3da8f2..9e5a1d0 100644 kudzu_domtrans(bootloader_t) ') -@@ -192,15 +208,13 @@ optional_policy(` +@@ -192,15 +209,13 @@ optional_policy(` optional_policy(` modutils_exec_insmod(bootloader_t) @@ -1891,10 +1907,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..7da376a +index 0000000..23bef3c --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,310 @@ +@@ -0,0 +1,333 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -1914,6 +1930,14 @@ index 0000000..7da376a +') + +optional_policy(` ++ gen_require(` ++ type quota_nld_t; ++ ') ++ ++ permissive quota_nld_t; ++') ++ ++optional_policy(` + gen_require(` + type bootloader_t; + ') @@ -2205,6 +2229,21 @@ index 0000000..7da376a + permissive virt_qmf_t; +') + ++# for cloudform daemons ++ ++optional_policy(` ++ gen_require(` ++ type deltacloudd_t; ++ type iwhd_t; ++ type mongod_t; ++ type thin_t; ++ ') ++ ++ permissive deltacloudd_t; ++ permissive iwhd_t; ++ permissive mongod_t; ++ permissive thin_t; ++') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -2404,11 +2443,23 @@ index af55369..ec838bd 100644 + ') + miscfiles_read_man_pages(prelink_t) +') +diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc +index f387230..a59bf52 100644 +--- a/policy/modules/admin/quota.fc ++++ b/policy/modules/admin/quota.fc +@@ -17,3 +17,7 @@ ifdef(`distro_redhat',` + ',` + /sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) + ') ++ ++/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) ++ ++/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if -index bf75d99..1698e8f 100644 +index bf75d99..9e3153a 100644 --- a/policy/modules/admin/quota.if +++ b/policy/modules/admin/quota.if -@@ -83,3 +83,36 @@ interface(`quota_manage_flags',` +@@ -83,3 +83,55 @@ interface(`quota_manage_flags',` files_search_var_lib($1) manage_files_pattern($1, quota_flag_t, quota_flag_t) ') @@ -2445,11 +2496,44 @@ index bf75d99..1698e8f 100644 + files_spool_filetrans($1, quota_db_t, file, "aquota.user") + files_spool_filetrans($1, quota_db_t, file, "aquota.group") +') ++ ++####################################### ++## ++## Transition to quota_nld. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`quota_domtrans_nld',` ++ gen_require(` ++ type quota_nld_t, quota_nld_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ++') diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te -index 5dd42f5..f13ac41 100644 +index 5dd42f5..4d272f2 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te -@@ -72,7 +72,7 @@ init_use_script_ptys(quota_t) +@@ -15,6 +15,13 @@ files_type(quota_db_t) + type quota_flag_t; + files_type(quota_flag_t) + ++type quota_nld_t; ++type quota_nld_exec_t; ++init_daemon_domain(quota_nld_t, quota_nld_exec_t) ++ ++type quota_nld_var_run_t; ++files_pid_file(quota_nld_var_run_t) ++ + ######################################## + # + # Local policy +@@ -72,7 +79,7 @@ init_use_script_ptys(quota_t) logging_send_syslog_msg(quota_t) @@ -2458,6 +2542,41 @@ index 5dd42f5..f13ac41 100644 userdom_dontaudit_use_unpriv_user_fds(quota_t) optional_policy(` +@@ -82,3 +89,34 @@ optional_policy(` + optional_policy(` + udev_read_db(quota_t) + ') ++ ++####################################### ++# ++# Local policy ++# ++ ++allow quota_nld_t self:fifo_file rw_fifo_file_perms; ++allow quota_nld_t self:netlink_socket create_socket_perms; ++allow quota_nld_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) ++files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) ++ ++kernel_read_network_state(quota_nld_t) ++ ++files_read_etc_files(quota_nld_t) ++ ++auth_use_nsswitch(quota_nld_t) ++ ++init_read_utmp(quota_nld_t) ++ ++logging_send_syslog_msg(quota_nld_t) ++ ++miscfiles_read_localization(quota_nld_t) ++ ++userdom_use_user_terminals(quota_nld_t) ++ ++optional_policy(` ++ dbus_system_bus_client(quota_nld_t) ++ dbus_connect_system_bus(quota_nld_t) ++') diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc index 7077413..6bc0fa8 100644 --- a/policy/modules/admin/readahead.fc @@ -2837,7 +2956,7 @@ index d33daa8..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..8d3c1d8 100644 +index 47a8f7d..4b78d5b 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -2926,7 +3045,13 @@ index 47a8f7d..8d3c1d8 100644 libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -189,7 +211,7 @@ logging_send_syslog_msg(rpm_t) +@@ -185,11 +207,13 @@ libs_domtrans_ldconfig(rpm_t) + + logging_send_syslog_msg(rpm_t) + ++miscfiles_filetrans_named_content(rpm_t) ++ + # allow compiling and loading new policy seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t) @@ -2935,7 +3060,7 @@ index 47a8f7d..8d3c1d8 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -207,6 +229,7 @@ optional_policy(` +@@ -207,6 +231,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -2943,7 +3068,7 @@ index 47a8f7d..8d3c1d8 100644 ') optional_policy(` -@@ -214,7 +237,7 @@ optional_policy(` +@@ -214,7 +239,7 @@ optional_policy(` ') optional_policy(` @@ -2952,7 +3077,7 @@ index 47a8f7d..8d3c1d8 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -257,12 +280,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) can_exec(rpm_script_t, rpm_script_tmpfs_t) @@ -2971,7 +3096,7 @@ index 47a8f7d..8d3c1d8 100644 dev_list_sysfs(rpm_script_t) # ideally we would not need this -@@ -299,15 +328,17 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -299,15 +330,17 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -2992,13 +3117,15 @@ index 47a8f7d..8d3c1d8 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -332,18 +363,18 @@ logging_send_syslog_msg(rpm_script_t) +@@ -331,19 +364,20 @@ libs_domtrans_ldconfig(rpm_script_t) + logging_send_syslog_msg(rpm_script_t) miscfiles_read_localization(rpm_script_t) - +- -modutils_domtrans_depmod(rpm_script_t) -modutils_domtrans_insmod(rpm_script_t) -- ++miscfiles_filetrans_named_content(rpm_script_t) + seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -3014,7 +3141,7 @@ index 47a8f7d..8d3c1d8 100644 ') ') -@@ -368,6 +399,11 @@ optional_policy(` +@@ -368,6 +402,11 @@ optional_policy(` ') optional_policy(` @@ -3026,7 +3153,7 @@ index 47a8f7d..8d3c1d8 100644 tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -@@ -377,8 +413,9 @@ optional_policy(` +@@ -377,8 +416,9 @@ optional_policy(` ') optional_policy(` @@ -20628,10 +20755,10 @@ index 2be17d2..2c588ca 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..80db5fc 100644 +index e14b961..f3980e0 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -24,20 +24,47 @@ ifndef(`enable_mls',` +@@ -24,20 +24,48 @@ ifndef(`enable_mls',` # # Local policy # @@ -20664,6 +20791,7 @@ index e14b961..80db5fc 100644 +init_dbus_chat(sysadm_t) +init_script_role_transition(sysadm_r) + ++miscfiles_filetrans_named_content(sysadm_t) +miscfiles_read_hwdata(sysadm_t) + +sysnet_filetrans_named_content(sysadm_t) @@ -20679,7 +20807,7 @@ index e14b961..80db5fc 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +82,7 @@ ifndef(`enable_mls',` +@@ -55,6 +83,7 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -20687,7 +20815,7 @@ index e14b961..80db5fc 100644 ') tunable_policy(`allow_ptrace',` -@@ -67,9 +95,9 @@ optional_policy(` +@@ -67,9 +96,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -20698,7 +20826,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -98,6 +126,10 @@ optional_policy(` +@@ -98,6 +127,10 @@ optional_policy(` ') optional_policy(` @@ -20709,7 +20837,7 @@ index e14b961..80db5fc 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -110,11 +142,19 @@ optional_policy(` +@@ -110,11 +143,19 @@ optional_policy(` ') optional_policy(` @@ -20730,7 +20858,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -128,6 +168,10 @@ optional_policy(` +@@ -128,6 +169,10 @@ optional_policy(` ') optional_policy(` @@ -20741,7 +20869,7 @@ index e14b961..80db5fc 100644 dmesg_exec(sysadm_t) ') -@@ -163,6 +207,13 @@ optional_policy(` +@@ -163,6 +208,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -20755,7 +20883,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -170,15 +221,20 @@ optional_policy(` +@@ -170,15 +222,20 @@ optional_policy(` ') optional_policy(` @@ -20779,7 +20907,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -198,22 +254,19 @@ optional_policy(` +@@ -198,22 +255,19 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -20807,7 +20935,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -225,25 +278,47 @@ optional_policy(` +@@ -225,25 +279,47 @@ optional_policy(` ') optional_policy(` @@ -20855,7 +20983,7 @@ index e14b961..80db5fc 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,19 +328,19 @@ optional_policy(` +@@ -253,19 +329,19 @@ optional_policy(` ') optional_policy(` @@ -20879,7 +21007,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -274,10 +349,7 @@ optional_policy(` +@@ -274,10 +350,7 @@ optional_policy(` optional_policy(` rpm_run(sysadm_t, sysadm_r) @@ -20891,7 +21019,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -302,12 +374,18 @@ optional_policy(` +@@ -302,12 +375,18 @@ optional_policy(` ') optional_policy(` @@ -20911,7 +21039,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -332,7 +410,10 @@ optional_policy(` +@@ -332,7 +411,10 @@ optional_policy(` ') optional_policy(` @@ -20923,7 +21051,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -343,19 +424,15 @@ optional_policy(` +@@ -343,19 +425,15 @@ optional_policy(` ') optional_policy(` @@ -20945,7 +21073,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -367,45 +444,45 @@ optional_policy(` +@@ -367,45 +445,45 @@ optional_policy(` ') optional_policy(` @@ -21002,7 +21130,7 @@ index e14b961..80db5fc 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +495,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +496,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21013,7 +21141,7 @@ index e14b961..80db5fc 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +512,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +513,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -21021,7 +21149,7 @@ index e14b961..80db5fc 100644 ') optional_policy(` -@@ -446,11 +520,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +521,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21800,10 +21928,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..49f2c54 +index 0000000..8d7dde1 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,504 @@ +@@ -0,0 +1,502 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -21893,6 +22021,8 @@ index 0000000..49f2c54 + +authlogin_filetrans_named_content(unconfined_t) + ++miscfiles_filetrans_named_content(unconfined_t) ++ +sysnet_filetrans_named_content(unconfined_t) + +optional_policy(` @@ -22009,10 +22139,6 @@ index 0000000..49f2c54 + ') + + optional_policy(` -+ tzdata_run(unconfined_usertype, unconfined_r) -+ ') -+ -+ optional_policy(` + gen_require(` + type user_tmpfs_t; + ') @@ -22906,7 +23032,7 @@ index 0b827c5..46e3aa9 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..b11c27f 100644 +index 30861ec..4b0f7cc 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -22991,7 +23117,7 @@ index 30861ec..b11c27f 100644 +allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { signal signull setsched getsched }; -+allow abrt_t self:process { sigkill signal signull setsched getsched }; ++allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; @@ -24535,7 +24661,7 @@ index 6480167..e12bbc0 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..f165efd 100644 +index 3136c6a..248682c 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,203 @@ policy_module(apache, 2.2.1) @@ -25544,7 +25670,7 @@ index 3136c6a..f165efd 100644 ') ######################################## -@@ -891,11 +1263,48 @@ optional_policy(` +@@ -891,11 +1263,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -25591,7 +25717,8 @@ index 3136c6a..f165efd 100644 + +dev_read_urand(httpd_passwd_t) + -+systemd_passwd_agent_dev_template(httpd) ++systemd_manage_passwd_run(httpd_t) ++#systemd_passwd_agent_dev_template(httpd) + +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t) +dontaudit httpd_passwd_t httpd_config_t:file read; @@ -26714,10 +26841,10 @@ index 0000000..fa9b95a +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..1442451 +index 0000000..e841806 --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,172 @@ +@@ -0,0 +1,174 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -26875,6 +27002,8 @@ index 0000000..1442451 + +corenet_tcp_connect_boinc_port(boinc_project_t) + ++domain_read_all_domains_state(boinc_project_t) ++ +dev_read_rand(boinc_project_t) +dev_read_urand(boinc_project_t) +dev_read_sysfs(boinc_project_t) @@ -28764,6 +28893,264 @@ index 6077339..d10acd2 100644 dev_read_lvm_control(clogd_t) dev_manage_generic_blk_files(clogd_t) +diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc +new file mode 100644 +index 0000000..2c745ea +--- /dev/null ++++ b/policy/modules/services/cloudform.fc +@@ -0,0 +1,16 @@ ++/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) ++ ++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) ++/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) ++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) ++/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0) ++ ++/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) ++/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0) ++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) ++ ++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0) ++/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) ++/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0) ++ +diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if +new file mode 100644 +index 0000000..917f8d4 +--- /dev/null ++++ b/policy/modules/services/cloudform.if +@@ -0,0 +1,23 @@ ++## cloudform policy ++ ++####################################### ++## ++## Creates types and rules for a basic ++## cloudform daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`cloudform_domain_template',` ++ gen_require(` ++ attribute cloudform_domain; ++ ') ++ ++ type $1_t, cloudform_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++') +diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te +new file mode 100644 +index 0000000..1fb3787 +--- /dev/null ++++ b/policy/modules/services/cloudform.te +@@ -0,0 +1,201 @@ ++policy_module(cloudform, 1.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute cloudform_domain; ++ ++cloudform_domain_template(deltacloudd) ++cloudform_domain_template(iwhd) ++cloudform_domain_template(mongod) ++cloudform_domain_template(thin) ++ ++type deltacloudd_tmp_t; ++files_tmp_file(deltacloudd_tmp_t) ++ ++type iwhd_initrc_exec_t; ++init_script_file(iwhd_initrc_exec_t) ++ ++type iwhd_var_lib_t; ++files_type(iwhd_var_lib_t) ++ ++type iwhd_var_run_t; ++files_pid_file(iwhd_var_run_t) ++ ++type mongod_initrc_exec_t; ++init_script_file(mongod_initrc_exec_t) ++ ++type mongod_log_t; ++logging_log_file(mongod_log_t) ++ ++type mongod_var_lib_t; ++files_type(mongod_var_lib_t) ++ ++type mongod_tmp_t; ++files_tmp_file(mongod_tmp_t) ++ ++type mongod_var_run_t; ++files_pid_file(mongod_var_run_t) ++ ++type thin_var_run_t; ++files_pid_file(thin_var_run_t) ++ ++type iwhd_log_t; ++logging_log_file(iwhd_log_t) ++ ++######################################## ++# ++# cloudform_domain local policy ++# ++ ++allow cloudform_domain self:fifo_file rw_fifo_file_perms; ++allow cloudform_domain self:tcp_socket create_stream_socket_perms; ++ ++dev_read_urand(cloudform_domain) ++ ++files_read_etc_files(cloudform_domain) ++ ++miscfiles_read_certs(cloudform_domain) ++miscfiles_read_localization(cloudform_domain) ++ ++######################################## ++# ++# deltacloudd local policy ++# ++ ++allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; ++allow deltacloudd_t self:udp_socket create_socket_perms; ++ ++allow deltacloudd_t self:process signal; ++ ++allow deltacloudd_t self:fifo_file rw_fifo_file_perms; ++allow deltacloudd_t self:tcp_socket create_stream_socket_perms; ++allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) ++manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) ++files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir }) ++ ++corecmd_exec_bin(deltacloudd_t) ++ ++corenet_tcp_bind_generic_node(deltacloudd_t) ++corenet_tcp_bind_generic_port(deltacloudd_t) ++ ++files_read_usr_files(deltacloudd_t) ++ ++logging_send_syslog_msg(deltacloudd_t) ++ ++optional_policy(` ++ sysnet_read_config(deltacloudd_t) ++') ++ ++######################################## ++# ++# iwhd local policy ++# ++ ++allow iwhd_t self:capability { chown kill }; ++allow iwhd_t self:process { fork }; ++ ++allow iwhd_t self:netlink_route_socket r_netlink_socket_perms; ++allow iwhd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) ++manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) ++ ++manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t) ++logging_log_filetrans(iwhd_t, iwhd_log_t, { file }) ++ ++manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) ++manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) ++files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file }) ++ ++kernel_read_system_state(iwhd_t) ++ ++corenet_tcp_bind_generic_node(iwhd_t) ++#type=AVC msg=audit(1319039371.089:62273): avc: denied { name_connect } for pid=9628 comm="iwhd" dest=27017 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket ++#type=AVC msg=audit(1319039371.089:62274): avc: denied { name_bind } for pid=9625 comm="iwhd" src=9090 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket ++ ++dev_read_rand(iwhd_t) ++dev_read_urand(iwhd_t) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_auto_mountpoints(iwhd_t) ++ fs_manage_nfs_dirs(iwhd_t) ++ fs_manage_nfs_files(iwhd_t) ++ fs_manage_nfs_symlinks(iwhd_t) ++') ++ ++######################################## ++# ++# mongod local policy ++# ++ ++#WHY? ++allow mongod_t self:process execmem; ++ ++allow mongod_t self:process setsched; ++ ++allow mongod_t self:process { fork signal }; ++ ++allow mongod_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) ++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) ++ ++manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) ++manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) ++ ++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) ++ ++manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) ++manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) ++ ++corenet_tcp_bind_generic_node(mongod_t) ++#temporary ++corenet_tcp_bind_generic_port(mongod_t) ++ ++domain_use_interactive_fds(mongod_t) ++ ++optional_policy(` ++ sysnet_dns_name_resolve(mongod_t) ++') ++ ++######################################## ++# ++# thin local policy ++# ++ ++allow thin_t self:capability { setuid kill setgid dac_override }; ++ ++allow thin_t self:netlink_route_socket r_netlink_socket_perms; ++allow thin_t self:udp_socket create_socket_perms; ++allow thin_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++files_pid_filetrans(thin_t, thin_var_run_t, { file }) ++ ++corecmd_exec_bin(thin_t) ++ ++corenet_tcp_bind_generic_node(thin_t) ++corenet_tcp_bind_ntop_port(thin_t) ++corenet_tcp_connect_postgresql_port(thin_t) ++#type=AVC msg=audit(1319039370.469:62271): avc: denied { name_connect } for pid=9540 comm="thin" dest=3002 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket ++ ++files_read_usr_files(thin_t) ++ ++fs_search_auto_mountpoints(thin_t) ++ ++init_read_utmp(thin_t) ++ ++kernel_read_kernel_sysctls(thin_t) ++ ++optional_policy(` ++ sysnet_read_config(thin_t) ++') ++ diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc index 049e2b6..dcc7de8 100644 --- a/policy/modules/services/cmirrord.fc @@ -36087,6 +36474,20 @@ index 0000000..1f39a80 + lldpad_dgram_send(fcoemon_t) +') + +diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc +index 455c620..c263c70 100644 +--- a/policy/modules/services/fetchmail.fc ++++ b/policy/modules/services/fetchmail.fc +@@ -1,3 +1,9 @@ ++# ++# /HOME ++# ++HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0) ++/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0) ++ + + # + # /etc diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if index 6537214..7d64c0a 100644 --- a/policy/modules/services/fetchmail.if @@ -36100,20 +36501,43 @@ index 6537214..7d64c0a 100644 files_list_etc($1) diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te -index 3459d93..c39305a 100644 +index 3459d93..3d4e162 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te -@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) - userdom_dontaudit_search_user_home_dirs(fetchmail_t) +@@ -10,6 +10,9 @@ type fetchmail_exec_t; + init_daemon_domain(fetchmail_t, fetchmail_exec_t) + application_executable_file(fetchmail_exec_t) - optional_policy(` -+ kerberos_use(fetchmail_t) -+') ++type fetchmail_home_t; ++userdom_user_home_content(fetchmail_home_t) ++ + type fetchmail_var_run_t; + files_pid_file(fetchmail_var_run_t) + +@@ -41,6 +44,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) + manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t) + files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file }) + ++list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) ++read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) ++userdom_search_user_home_dirs(fetchmail_t) ++userdom_search_admin_dir(fetchmail_t) ++ + kernel_read_kernel_sysctls(fetchmail_t) + kernel_list_proc(fetchmail_t) + kernel_getattr_proc_files(fetchmail_t) +@@ -85,7 +93,10 @@ miscfiles_read_generic_certs(fetchmail_t) + sysnet_read_config(fetchmail_t) + + userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) +-userdom_dontaudit_search_user_home_dirs(fetchmail_t) + +optional_policy(` - procmail_domtrans(fetchmail_t) - ') ++ kerberos_use(fetchmail_t) ++') + optional_policy(` + procmail_domtrans(fetchmail_t) diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index 9b7036a..4770f61 100644 --- a/policy/modules/services/finger.te @@ -42731,7 +43155,7 @@ index 256166a..6321a93 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..fff3a52 100644 +index 343cee3..e5c33d1 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -42753,7 +43177,16 @@ index 343cee3..fff3a52 100644 ') optional_policy(` -@@ -158,6 +159,7 @@ template(`mta_base_mail_template',` +@@ -128,6 +129,8 @@ template(`mta_base_mail_template',` + # Write to /var/spool/mail and /var/spool/mqueue. + manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) + manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) ++ read_lnk_files_pattern($1_mail_t, mail_spool_t, mail_spool_t) ++ read_lnk_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t) + + # Check available space. + fs_getattr_xattr_fs($1_mail_t) +@@ -158,6 +161,7 @@ template(`mta_base_mail_template',` ## User domain for the role ## ## @@ -42761,7 +43194,7 @@ index 343cee3..fff3a52 100644 # interface(`mta_role',` gen_require(` -@@ -169,11 +171,19 @@ interface(`mta_role',` +@@ -169,11 +173,19 @@ interface(`mta_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) @@ -42782,7 +43215,7 @@ index 343cee3..fff3a52 100644 ') ######################################## -@@ -220,6 +230,25 @@ interface(`mta_agent_executable',` +@@ -220,6 +232,25 @@ interface(`mta_agent_executable',` application_executable_file($1) ') @@ -42808,7 +43241,7 @@ index 343cee3..fff3a52 100644 ######################################## ## ## Make the specified type by a system MTA. -@@ -306,7 +335,6 @@ interface(`mta_mailserver_sender',` +@@ -306,7 +337,6 @@ interface(`mta_mailserver_sender',` interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -42816,7 +43249,7 @@ index 343cee3..fff3a52 100644 ') typeattribute $1 mailserver_delivery; -@@ -330,12 +358,6 @@ interface(`mta_mailserver_user_agent',` +@@ -330,12 +360,6 @@ interface(`mta_mailserver_user_agent',` ') typeattribute $1 mta_user_agent; @@ -42829,7 +43262,7 @@ index 343cee3..fff3a52 100644 ') ######################################## -@@ -350,9 +372,8 @@ interface(`mta_mailserver_user_agent',` +@@ -350,9 +374,8 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` gen_require(` @@ -42840,7 +43273,7 @@ index 343cee3..fff3a52 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -391,12 +412,17 @@ interface(`mta_send_mail',` +@@ -391,12 +414,17 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -42860,7 +43293,7 @@ index 343cee3..fff3a52 100644 ') ######################################## -@@ -409,7 +435,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +437,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -42868,7 +43301,7 @@ index 343cee3..fff3a52 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +445,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +447,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -42893,7 +43326,7 @@ index 343cee3..fff3a52 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +481,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +483,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -42920,7 +43353,7 @@ index 343cee3..fff3a52 100644 ## Read mail server configuration. ## ## -@@ -474,7 +537,8 @@ interface(`mta_write_config',` +@@ -474,7 +539,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -42930,7 +43363,7 @@ index 343cee3..fff3a52 100644 ') ######################################## -@@ -494,6 +558,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +560,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -42938,7 +43371,7 @@ index 343cee3..fff3a52 100644 ') ######################################## -@@ -532,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +599,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -42947,7 +43380,7 @@ index 343cee3..fff3a52 100644 ') ######################################## -@@ -552,7 +617,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +619,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -42956,7 +43389,7 @@ index 343cee3..fff3a52 100644 ') ####################################### -@@ -646,8 +711,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +713,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -42967,7 +43400,7 @@ index 343cee3..fff3a52 100644 ') ####################################### -@@ -680,6 +745,25 @@ interface(`mta_spool_filetrans',` +@@ -680,6 +747,25 @@ interface(`mta_spool_filetrans',` filetrans_pattern($1, mail_spool_t, $2, $3) ') @@ -42993,7 +43426,7 @@ index 343cee3..fff3a52 100644 ######################################## ## ## Read and write the mail spool. -@@ -697,8 +781,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +783,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -43004,7 +43437,7 @@ index 343cee3..fff3a52 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +922,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +924,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -43013,7 +43446,7 @@ index 343cee3..fff3a52 100644 ') ######################################## -@@ -899,3 +983,112 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +985,112 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -43127,7 +43560,7 @@ index 343cee3..fff3a52 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..d46b314 100644 +index 64268e4..c84e80f 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -43374,7 +43807,7 @@ index 64268e4..d46b314 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(user_mail_t) fs_manage_cifs_symlinks(user_mail_t) -@@ -292,3 +316,44 @@ optional_policy(` +@@ -292,3 +316,46 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -43401,6 +43834,8 @@ index 64268e4..d46b314 100644 +kernel_read_network_state(user_mail_domain) +kernel_request_load_module(user_mail_domain) + ++files_read_usr_files(user_mail_domain) ++ +optional_policy(` + # postfix needs this for newaliases + files_getattr_tmp_dirs(user_mail_domain) @@ -64372,7 +64807,7 @@ index 28ad538..59742f4 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..e3720d4 100644 +index 73554ec..6a25dd6 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -64384,8 +64819,14 @@ index 73554ec..e3720d4 100644 logging_send_audit_msgs($1) logging_send_syslog_msg($1) -@@ -80,6 +82,12 @@ interface(`auth_use_pam',` +@@ -78,8 +80,18 @@ interface(`auth_use_pam',` + ') + optional_policy(` ++ locallogin_getattr_home_content($1) ++ ') ++ ++ optional_policy(` nis_authenticate($1) ') + @@ -64397,7 +64838,7 @@ index 73554ec..e3720d4 100644 ') ######################################## -@@ -95,9 +103,12 @@ interface(`auth_use_pam',` +@@ -95,9 +107,12 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; @@ -64410,7 +64851,7 @@ index 73554ec..e3720d4 100644 domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) -@@ -105,14 +116,17 @@ interface(`auth_login_pgm_domain',` +@@ -105,14 +120,17 @@ interface(`auth_login_pgm_domain',` # Needed for pam_selinux_permit to cleanup properly domain_read_all_domains_state($1) @@ -64428,7 +64869,7 @@ index 73554ec..e3720d4 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -123,13 +137,19 @@ interface(`auth_login_pgm_domain',` +@@ -123,13 +141,19 @@ interface(`auth_login_pgm_domain',` # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) @@ -64449,7 +64890,7 @@ index 73554ec..e3720d4 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -145,6 +165,8 @@ interface(`auth_login_pgm_domain',` +@@ -145,6 +169,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -64458,7 +64899,7 @@ index 73554ec..e3720d4 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,9 +177,83 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +181,83 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -64498,7 +64939,7 @@ index 73554ec..e3720d4 100644 + + optional_policy(` + fprintd_dbus_chat($1) -+ ') + ') + + optional_policy(` + ssh_agent_exec($1) @@ -64538,13 +64979,13 @@ index 73554ec..e3720d4 100644 +interface(`authlogin_rw_pipes',` + gen_require(` + attribute polydomain; - ') ++ ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; ') ######################################## -@@ -368,13 +464,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -368,13 +468,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -64561,7 +65002,7 @@ index 73554ec..e3720d4 100644 ') ######################################## -@@ -421,6 +519,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +523,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -64587,7 +65028,7 @@ index 73554ec..e3720d4 100644 ') ######################################## -@@ -736,7 +853,47 @@ interface(`auth_rw_faillog',` +@@ -736,7 +857,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -64636,7 +65077,7 @@ index 73554ec..e3720d4 100644 ') ####################################### -@@ -932,9 +1089,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1093,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -64670,7 +65111,7 @@ index 73554ec..e3720d4 100644 ') ######################################## -@@ -1387,6 +1565,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1569,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -64696,7 +65137,7 @@ index 73554ec..e3720d4 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1541,24 +1738,6 @@ interface(`auth_manage_login_records',` +@@ -1541,24 +1742,6 @@ interface(`auth_manage_login_records',` ######################################## ## @@ -64721,7 +65162,7 @@ index 73554ec..e3720d4 100644 ## Use nsswitch to look up user, password, group, or ## host information. ## -@@ -1578,54 +1757,11 @@ interface(`auth_relabel_login_records',` +@@ -1578,54 +1761,11 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -64779,7 +65220,7 @@ index 73554ec..e3720d4 100644 ') ######################################## -@@ -1659,3 +1795,33 @@ interface(`auth_unconfined',` +@@ -1659,3 +1799,33 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -68362,14 +68803,32 @@ index be6a81b..9a27055 100644 /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if -index 0e3c2a9..3272623 100644 +index 0e3c2a9..40adf5a 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if -@@ -129,3 +129,41 @@ interface(`locallogin_domtrans_sulogin',` +@@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',` domtrans_pattern($1, sulogin_exec_t, sulogin_t) ') + ++####################################### ++## ++## Allow domain to gettatr local login home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`locallogin_getattr_home_content',` ++ gen_require(` ++ type local_login_home_t; ++ ') ++ ++ getattr_files_pattern($1, local_login_home_t, local_login_home_t) ++') ++ +######################################## +## +## create local login content in the in the /root directory @@ -69151,7 +69610,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..e55e967 100644 +index a0a0ebf..5e4149d 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -69324,7 +69783,7 @@ index a0a0ebf..e55e967 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -331,14 +364,26 @@ optional_policy(` +@@ -331,14 +364,27 @@ optional_policy(` ') optional_policy(` @@ -69344,7 +69803,8 @@ index a0a0ebf..e55e967 100644 ') optional_policy(` -+ systemd_passwd_agent_dev_template(lvm) ++ #systemd_passwd_agent_dev_template(lvm) ++ systemd_manage_passwd_run(lvm_t) +') + +optional_policy(` @@ -69374,7 +69834,7 @@ index 172287e..ec1f0e8 100644 /usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index 926ba65..13762b6 100644 +index 926ba65..38de7a8 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',` @@ -69404,31 +69864,56 @@ index 926ba65..13762b6 100644 ## Read public files used for file ## transfer services. ## -@@ -745,7 +765,24 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -745,7 +765,6 @@ interface(`miscfiles_etc_filetrans_localization',` ') files_etc_filetrans($1, locale_t, file) -+') -+ +- + ') + + ######################################## +@@ -769,3 +788,41 @@ interface(`miscfiles_manage_localization',` + manage_lnk_files_pattern($1, locale_t, locale_t) + ') + +######################################## +## -+## Execute test files. ++## Transition to miscfiles named content +## +## +## -+## Domain allowed access. ++## Domain allowed access. +## +## +# +interface(`miscfiles_filetrans_named_content',` + gen_require(` ++ type locale_t; + type man_t; ++ type cert_t; ++ type fonts_t; ++ type fonts_cache_t; ++ type hwdata_t; ++ type tetex_data_t; ++ type public_content_t; + ') - ++ ++ files_etc_filetrans($1, locale_t, file, "localtime") + files_var_filetrans($1, man_t, dir, "man") - ') - - ######################################## ++ files_etc_filetrans($1, locale_t, file, "timezone") ++ files_etc_filetrans($1, locale_t, file, "clock") ++ files_etc_filetrans($1, cert_t, dir, "pki") ++ files_usr_filetrans($1, locale_t, dir, "locale") ++ files_usr_filetrans($1, locale_t, dir, "zoneinfo") ++ files_usr_filetrans($1, cert_t, dir, "certs") ++ files_usr_filetrans($1, fonts_t, dir, "fonts") ++ files_usr_filetrans($1, hwdata_t, dir, "hwdata") ++ files_var_filetrans($1, fonts_cache_t, dir, "fontconfig") ++ files_var_filetrans($1, tetex_data_t, dir, "fonts") ++ files_spool_filetrans($1, tetex_data_t, dir, "texmf") ++ files_var_lib_filetrans($1, tetex_data_t, dir, "texmf") ++ files_var_filetrans($1, public_content_t, dir, "ftp") ++') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 703944c..1d3a6a9 100644 --- a/policy/modules/system/miscfiles.te @@ -69457,7 +69942,7 @@ index 532181a..2410551 100644 /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 9c0faab..5d93844 100644 +index 9c0faab..4178c09 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ @@ -69469,10 +69954,28 @@ index 9c0faab..5d93844 100644 ') getattr_files_pattern($1, modules_object_t, modules_dep_t) -@@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',` +@@ -39,6 +39,44 @@ interface(`modutils_read_module_deps',` ######################################## ## ++## Read the dependencies of kernel modules. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`modutils_delete_module_deps',` ++ gen_require(` ++ type modules_dep_t; ++ ') ++ ++ delete_files_pattern($1, modules_dep_t, modules_dep_t) ++') ++ ++######################################## ++## +## list the configuration options used when +## loading modules. +## @@ -69496,7 +69999,7 @@ index 9c0faab..5d93844 100644 ## Read the configuration options used when ## loading modules. ## -@@ -152,13 +172,7 @@ interface(`modutils_domtrans_insmod_uncond',` +@@ -152,13 +190,7 @@ interface(`modutils_domtrans_insmod_uncond',` ## # interface(`modutils_domtrans_insmod',` @@ -69512,7 +70015,7 @@ index 9c0faab..5d93844 100644 ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index a0eef20..406f160 100644 +index a0eef20..2273e1a 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,9 +1,5 @@ @@ -69578,7 +70081,16 @@ index a0eef20..406f160 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -95,7 +99,6 @@ optional_policy(` +@@ -90,12 +94,15 @@ tunable_policy(`use_samba_home_dirs',` + ') + + optional_policy(` ++ bootloader_rw_tmp_files(insmod_t) ++') ++ ++optional_policy(` + rpm_rw_pipes(depmod_t) + rpm_manage_script_tmp_files(depmod_t) ') optional_policy(` @@ -69586,7 +70098,7 @@ index a0eef20..406f160 100644 unconfined_domain(depmod_t) ') -@@ -104,11 +107,12 @@ optional_policy(` +@@ -104,11 +111,12 @@ optional_policy(` # insmod local policy # @@ -69600,7 +70112,7 @@ index a0eef20..406f160 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -118,6 +122,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) +@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) can_exec(insmod_t, insmod_exec_t) @@ -69610,7 +70122,7 @@ index a0eef20..406f160 100644 kernel_load_module(insmod_t) kernel_request_load_module(insmod_t) kernel_read_system_state(insmod_t) -@@ -126,6 +133,7 @@ kernel_write_proc_files(insmod_t) +@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -69618,7 +70130,7 @@ index a0eef20..406f160 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -143,6 +151,7 @@ dev_rw_agp(insmod_t) +@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -69626,7 +70138,7 @@ index a0eef20..406f160 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -161,11 +170,18 @@ files_write_kernel_modules(insmod_t) +@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) @@ -69645,7 +70157,7 @@ index a0eef20..406f160 100644 logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -174,41 +190,38 @@ miscfiles_read_localization(insmod_t) +@@ -174,41 +194,38 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -69696,7 +70208,7 @@ index a0eef20..406f160 100644 ') optional_policy(` -@@ -236,6 +249,10 @@ optional_policy(` +@@ -236,6 +253,10 @@ optional_policy(` ') optional_policy(` @@ -69707,7 +70219,7 @@ index a0eef20..406f160 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -296,7 +313,7 @@ logging_send_syslog_msg(update_modules_t) +@@ -296,7 +317,7 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) @@ -72090,10 +72602,10 @@ index 0000000..db57bc7 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..f642930 +index 0000000..79c358c --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,478 @@ +@@ -0,0 +1,502 @@ +## SELinux policy for systemd components + +####################################### @@ -72141,6 +72653,7 @@ index 0000000..f642930 + corecmd_search_bin($1) + can_exec($1, systemd_systemctl_exec_t) + ++ fs_list_cgroup_dirs($1) + systemd_list_unit_dirs($1) + init_list_pid_dirs($1) + init_read_state($1) @@ -72445,6 +72958,29 @@ index 0000000..f642930 + allow $1 systemd_passwd_agent_t:process signal; +') + ++####################################### ++## ++## Send generic signals to systemd_passwd_agent processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_passwd_run',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ type systemd_passwd_var_run_t; ++ ') ++ ++ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++ ++ allow systemd_passwd_agent_t $1:process signull; ++ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; ++') ++ +###################################### +## +## Template for temporary sockets and files in /dev/.systemd/ask-password @@ -72574,10 +73110,10 @@ index 0000000..f642930 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..a906f40 +index 0000000..1449552 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,369 @@ +@@ -0,0 +1,370 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -72730,8 +73266,9 @@ index 0000000..a906f40 +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); -+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file }) ++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file }) + +kernel_stream_connect(systemd_passwd_agent_t) + @@ -72948,7 +73485,7 @@ index 0000000..a906f40 + +miscfiles_read_localization(systemctl_domain) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc -index 0291685..7e94f4b 100644 +index 0291685..397e4f6 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,6 @@ @@ -72961,7 +73498,14 @@ index 0291685..7e94f4b 100644 /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) -@@ -21,4 +21,6 @@ +@@ -15,10 +15,13 @@ + /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) ++/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) + /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 3a9e0acb..8e171f07 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 43%{?dist} +Release: 45%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -482,6 +482,12 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Oct 20 2011 Miroslav Grepl 3.10.0-45 +- Remove tzdata policy +- Add labeling for udev +- Add cloudform policy +- Fixes for bootloader policy + * Wed Oct 19 2011 Miroslav Grepl 3.10.0-43 - Add policies for nova openstack