trunk: six patches from dan.

policy/modules/services/apcupsd.fc

@@ -5,5 +5,11 @@ ifdef(`distro_debian',`
 /usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
 
 /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+/var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 
 /var/run/apcupsd\.pid		--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+/var/www/apcupsd/multimon.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)

policy/modules/services/apcupsd.if

@@ -79,3 +79,21 @@ interface(`apcupsd_append_log',`
 	allow $1 apcupsd_log_t:dir list_dir_perms;
 	allow $1 apcupsd_log_t:file { getattr append };
 ')
+
+########################################
+## <summary>
+##	Execute a domain transition to run httpd_apcupsd_cgi_script.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`httpd_apcupsd_cgi_script_domtrans',`
+	gen_require(`
+		type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+	')
+
+	domtrans_pattern($1,httpd_apcupsd_cgi_script_exec_t,httpd_apcupsd_cgi_script_t)
+')

policy/modules/services/apcupsd.te

@@ -1,5 +1,5 @@
 
-policy_module(apcupsd,1.1.1)
+policy_module(apcupsd,1.1.2)
 
 ########################################
 #
@@ -16,6 +16,9 @@ files_lock_file(apcupsd_lock_t)
 type apcupsd_log_t;
 logging_log_file(apcupsd_log_t)
 
+type apcupsd_tmp_t;
+files_tmp_file(apcupsd_tmp_t)
+
 type apcupsd_var_run_t;
 files_pid_file(apcupsd_var_run_t)
 
@@ -24,6 +27,7 @@ files_pid_file(apcupsd_var_run_t)
 # apcupsd local policy
 #
 
+allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
 allow apcupsd_t self:process signal;
 allow apcupsd_t self:fifo_file rw_file_perms;
 allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
@@ -36,9 +40,17 @@ allow apcupsd_t apcupsd_log_t:dir setattr;
 manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
 logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
 
+manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
+
 manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
 files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
 
+kernel_read_system_state(apcupsd_t)
+
+corecmd_exec_bin(apcupsd_t)
+corecmd_exec_shell(apcupsd_t)
+
 corenet_all_recvfrom_unlabeled(apcupsd_t)
 corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
@@ -47,6 +59,7 @@ corenet_tcp_sendrecv_all_ports(apcupsd_t)
 corenet_tcp_bind_all_nodes(apcupsd_t)
 corenet_tcp_bind_apcupsd_port(apcupsd_t)
 corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+corenet_tcp_connect_apcupsd_port(apcupsd_t)
 
 dev_rw_generic_usb_dev(apcupsd_t)
 
@@ -55,6 +68,16 @@ domain_use_interactive_fds(apcupsd_t)
 
 files_read_etc_files(apcupsd_t)
 files_search_locks(apcupsd_t)
+# Creates /etc/nologin
+files_manage_etc_runtime_files(apcupsd_t)
+files_etc_filetrans_etc_runtime(apcupsd_t,file)
+
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
+term_use_unallocated_ttys(apcupsd_t)
+
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
 
 libs_use_ld_so(apcupsd_t)
 libs_use_shared_libs(apcupsd_t)
@@ -64,6 +87,37 @@ logging_send_syslog_msg(apcupsd_t)
 miscfiles_read_localization(apcupsd_t)
 
 ifdef(`targeted_policy',`
-	term_dontaudit_use_unallocated_ttys(apcupsd_t)
 	term_dontaudit_use_generic_ptys(apcupsd_t)
 ')
+
+optional_policy(`
+	hostname_exec(apcupsd_t)
+')
+
+optional_policy(`
+	mta_send_mail(apcupsd_t)
+')
+
+########################################
+#
+# apcupsd_cgi Declarations
+#
+
+optional_policy(`
+	apache_content_template(apcupsd_cgi)
+	
+	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+	
+	corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+	corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+	corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+	
+	sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+')

policy/modules/services/networkmanager.fc

@@ -1,5 +1,6 @@
+/usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
-/usr/(s)?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)

policy/modules/services/networkmanager.te

@@ -1,5 +1,5 @@
 
-policy_module(networkmanager,1.7.0)
+policy_module(networkmanager,1.7.1)
 
 ########################################
 #
@@ -31,6 +31,8 @@ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
 allow NetworkManager_t self:udp_socket create_socket_perms;
 allow NetworkManager_t self:packet_socket create_socket_perms;
 
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+
 manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
 manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
 manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
@@ -161,6 +163,11 @@ optional_policy(`
 	nscd_signal(NetworkManager_t)
 ')
 
+optional_policy(`
+	openvpn_domtrans(NetworkManager_t)
+	openvpn_signal(NetworkManager_t)
+')
+
 optional_policy(`
 	ppp_domtrans(NetworkManager_t)
 	ppp_read_pid_files(NetworkManager_t)

policy/modules/services/openvpn.if

@@ -1,5 +1,73 @@
 ## <summary>full-featured SSL VPN solution</summary>
 
+########################################
+## <summary>
+##	Execute OPENVPN clients in the openvpn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_domtrans',`
+	gen_require(`
+		type openvpn_t, openvpn_exec_t;
+	')
+
+	domtrans_pattern($1, openvpn_exec_t, openvpn_t)
+')
+
+########################################
+## <summary>
+##	Execute OPENVPN clients in the openvpn domain, and
+##	allow the specified role the openvpn domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the openvpn domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the openvpn domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_run',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	openvpn_domtrans($1)
+	role $2 types openvpn_t;
+	allow openvpn_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Send generic signals to OPENVPN clients.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openvpn_signal',`
+	gen_require(`
+		type openvpn_t;
+	')
+
+	allow $1 openvpn_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read

policy/modules/services/openvpn.te

@@ -1,11 +1,18 @@
 
-policy_module(openvpn,1.3.0)
+policy_module(openvpn,1.3.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow openvpn to read home directories
+## </p>
+## </desc>
+gen_tunable(openvpn_enable_homedirs,false)
+
 # main openvpn domain
 type openvpn_t;
 type openvpn_exec_t;
@@ -28,7 +35,9 @@ files_pid_file(openvpn_var_run_t)
 # openvpn local policy
 #
 
-allow openvpn_t self:capability { net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:process { signal getsched };
+
 allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
 allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow openvpn_t self:udp_socket create_socket_perms;
@@ -42,8 +51,8 @@ read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
 allow openvpn_t openvpn_var_log_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
 
-allow openvpn_t openvpn_var_run_t:file manage_file_perms;
-files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
+manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
 
 kernel_read_kernel_sysctls(openvpn_t)
 kernel_read_net_sysctls(openvpn_t)
@@ -67,6 +76,7 @@ corenet_tcp_bind_openvpn_port(openvpn_t)
 corenet_udp_bind_openvpn_port(openvpn_t)
 corenet_sendrecv_openvpn_server_packets(openvpn_t)
 corenet_rw_tun_tap_dev(openvpn_t)
+corenet_tcp_connect_openvpn_port(openvpn_t)
 
 dev_search_sysfs(openvpn_t)
 dev_read_rand(openvpn_t)
@@ -81,6 +91,7 @@ libs_use_shared_libs(openvpn_t)
 logging_send_syslog_msg(openvpn_t)
 
 miscfiles_read_localization(openvpn_t)
+miscfiles_read_certs(openvpn_t)
 
 sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
@@ -90,6 +101,18 @@ ifdef(`targeted_policy',`
 	term_use_generic_ptys(openvpn_t)
 ')
 
+tunable_policy(`openvpn_enable_homedirs',`
+	userdom_read_unpriv_users_home_content_files(openvpn_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(openvpn_t,openvpn_exec_t)
 ')
+
+optional_policy(`
+	dbus_system_bus_client_template(openvpn,openvpn_t)
+	dbus_connect_system_bus(openvpn_t)
+	dbus_send_system_bus(openvpn_t)
+
+	networkmanager_dbus_chat(openvpn_t)
+')

policy/modules/services/rwho.fc

@@ -1,3 +1,5 @@
 /usr/sbin/rwhod		--	gen_context(system_u:object_r:rwho_exec_t,s0)
 
 /var/spool/rwho(/.*)?		gen_context(system_u:object_r:rwho_spool_t,s0)
+
+/var/log/rwhod(/.*)?		gen_context(system_u:object_r:rwho_log_t,s0)

policy/modules/services/rwho.if

@@ -18,6 +18,46 @@ interface(`rwho_domtrans',`
 	domtrans_pattern($1,rwho_exec_t,rwho_t)
 ')
 
+########################################
+## <summary>
+##	Search rwho log directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_search_log',`
+	gen_require(`
+		type rwho_log_t;
+	')
+
+	allow $1 rwho_log_t:dir search_dir_perms;
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	Read rwho log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rwho_read_log_files',`
+	gen_require(`
+		type rwho_log_t;
+	')
+
+	allow $1 rwho_log_t:file read_file_perms;
+	allow $1 rwho_log_t:dir list_dir_perms;
+	logging_search_logs($1)
+')
+
+
 ########################################
 ## <summary>
 ##	Search rwho spool directories.

policy/modules/services/rwho.te

@@ -1,5 +1,5 @@
 
-policy_module(rwho,1.1.0)
+policy_module(rwho,1.1.1)
 
 ########################################
 #
@@ -10,7 +10,9 @@ type rwho_t;
 type rwho_exec_t;
 init_daemon_domain(rwho_t, rwho_exec_t)
 
-# var/spool files
+type rwho_log_t;
+files_type(rwho_log_t)
+
 type rwho_spool_t;
 files_type(rwho_spool_t)
 
@@ -25,7 +27,10 @@ allow rwho_t self:fifo_file rw_file_perms;
 allow rwho_t self:unix_stream_socket create_stream_socket_perms;
 allow rwho_t self:udp_socket create_socket_perms;
 
-# var/spool files for rwho
+allow rwho_t rwho_log_t:dir manage_dir_perms;
+allow rwho_t rwho_log_t:file manage_file_perms;
+logging_log_filetrans(rwho_t, rwho_log_t, { file dir })
+
 allow rwho_t rwho_spool_t:dir manage_dir_perms;
 allow rwho_t rwho_spool_t:file manage_file_perms;
 files_spool_filetrans(rwho_t,rwho_spool_t, { file dir })

policy/modules/services/spamassassin.fc

@@ -8,7 +8,11 @@
 
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 
+/var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
 
 ifdef(`strict_policy',`
 HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)

policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.7.1)
+policy_module(spamassassin,1.7.2)
 
 ########################################
 #
@@ -87,8 +87,9 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
 read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t)
 
-manage_files_pattern(spamd_t,spamd_var_run_t,spamd_var_run_t)
-files_pid_filetrans(spamd_t,spamd_var_run_t,file)
+manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
 
 kernel_read_all_sysctls(spamd_t)
 kernel_read_system_state(spamd_t)

policy/modules/system/raid.te

@@ -1,5 +1,5 @@
 
-policy_module(raid,1.3.0)
+policy_module(raid,1.3.1)
 
 ########################################
 #
@@ -70,6 +70,7 @@ miscfiles_read_localization(mdadm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
 userdom_dontaudit_use_sysadm_ttys(mdadm_t)
+userdom_dontaudit_search_all_users_home_content(mdadm_t)
 
 mta_send_mail(mdadm_t)