- Dontaudit rendom domains listing /proc and hittping system_map_t

- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- systemd_tmpfiles_t needs to _setcheckreqprot
- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
- Fixed snapperd policy
- Fixed broken interfaces
- Should use rw_socket_perms rather then sock_file on a unix_stream_socket
- Fixed bugsfor pcp policy
- pcscd seems to be using policy kit and looking at domains proc data that transition to it
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Allow ABRT to read puppet certs
- Allow virtd_lxc_t to specify the label of a socket
- New version of docker requires more access
This commit is contained in:
Miroslav Grepl 2014-02-14 13:09:05 +01:00
parent 05a36cdcd0
commit 7a727702c0
3 changed files with 490 additions and 319 deletions

File diff suppressed because it is too large Load Diff

View File

@ -10427,7 +10427,7 @@ index a3760bc..a570048 100644
+ +
+init_sigchld_script(cachefiles_kernel_t) +init_sigchld_script(cachefiles_kernel_t)
diff --git a/calamaris.if b/calamaris.if diff --git a/calamaris.if b/calamaris.if
index cd9c528..9de38c4 100644 index cd9c528..ba793b7 100644
--- a/calamaris.if --- a/calamaris.if
+++ b/calamaris.if +++ b/calamaris.if
@@ -42,7 +42,7 @@ interface(`calamaris_run',` @@ -42,7 +42,7 @@ interface(`calamaris_run',`
@ -10435,7 +10435,7 @@ index cd9c528..9de38c4 100644
') ')
- lightsquid_domtrans($1) - lightsquid_domtrans($1)
+ clamd_domtrans($1) + calamaris_domtrans($1)
roleattribute $2 calamaris_roles; roleattribute $2 calamaris_roles;
') ')
@ -11186,10 +11186,10 @@ index 0000000..57866f6
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) +HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
diff --git a/chrome.if b/chrome.if diff --git a/chrome.if b/chrome.if
new file mode 100644 new file mode 100644
index 0000000..5977d96 index 0000000..8ea5b7c
--- /dev/null --- /dev/null
+++ b/chrome.if +++ b/chrome.if
@@ -0,0 +1,134 @@ @@ -0,0 +1,133 @@
+ +
+## <summary>policy for chrome</summary> +## <summary>policy for chrome</summary>
+ +
@ -11276,9 +11276,8 @@ index 0000000..5977d96
+ +
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write }; + allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; + allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;; + allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms;;
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown; + allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; + allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; + allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
+ +
@ -19280,7 +19279,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+') +')
diff --git a/dbus.if b/dbus.if diff --git a/dbus.if b/dbus.if
index 62d22cb..ff0c9da 100644 index 62d22cb..2d33fcd 100644
--- a/dbus.if --- a/dbus.if
+++ b/dbus.if +++ b/dbus.if
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -19802,7 +19801,7 @@ index 62d22cb..ff0c9da 100644
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Type to be used as a domain. ## Type to be used as a domain.
@@ -397,81 +403,66 @@ interface(`dbus_manage_lib_files',` @@ -397,81 +403,67 @@ interface(`dbus_manage_lib_files',`
## </param> ## </param>
## <param name="entry_point"> ## <param name="entry_point">
## <summary> ## <summary>
@ -19827,6 +19826,7 @@ index 62d22cb..ff0c9da 100644
+ domain_entry_file($1, $2) + domain_entry_file($1, $2)
+ +
+ domtrans_pattern(system_dbusd_t, $2, $1) + domtrans_pattern(system_dbusd_t, $2, $1)
+ init_system_domain($1, $2)
+ +
+ ps_process_pattern($1, system_dbusd_t) + ps_process_pattern($1, system_dbusd_t)
+ +
@ -19911,7 +19911,7 @@ index 62d22cb..ff0c9da 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -479,18 +470,18 @@ interface(`dbus_spec_session_domain',` @@ -479,18 +471,18 @@ interface(`dbus_spec_session_domain',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -19935,7 +19935,7 @@ index 62d22cb..ff0c9da 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -498,98 +489,80 @@ interface(`dbus_connect_system_bus',` @@ -498,98 +490,80 @@ interface(`dbus_connect_system_bus',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -20062,7 +20062,7 @@ index 62d22cb..ff0c9da 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -597,28 +570,32 @@ interface(`dbus_use_system_bus_fds',` @@ -597,28 +571,32 @@ interface(`dbus_use_system_bus_fds',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -23074,10 +23074,10 @@ index c7bb4e7..e6fe2f40 100644
sysnet_etc_filetrans_config(dnssec_triggerd_t) sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc diff --git a/docker.fc b/docker.fc
new file mode 100644 new file mode 100644
index 0000000..1c4ac02 index 0000000..fd679a1
--- /dev/null --- /dev/null
+++ b/docker.fc +++ b/docker.fc
@@ -0,0 +1,17 @@ @@ -0,0 +1,18 @@
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) +/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
+ +
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) +/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
@ -23086,6 +23086,7 @@ index 0000000..1c4ac02
+ +
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0) +/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0) +/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
+/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
+ +
+/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0) +/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
+ +
@ -23097,10 +23098,10 @@ index 0000000..1c4ac02
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if diff --git a/docker.if b/docker.if
new file mode 100644 new file mode 100644
index 0000000..cc6846a index 0000000..89401fe
--- /dev/null --- /dev/null
+++ b/docker.if +++ b/docker.if
@@ -0,0 +1,323 @@ @@ -0,0 +1,324 @@
+ +
+## <summary>The open-source application container engine.</summary> +## <summary>The open-source application container engine.</summary>
+ +
@ -23372,6 +23373,7 @@ index 0000000..cc6846a
+ +
+ files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") + files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
+ files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") + files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
+ files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
+ logging_log_filetrans($1, docker_log_t, dir, "lxc") + logging_log_filetrans($1, docker_log_t, dir, "lxc")
+ files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") + files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") + filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
@ -23426,10 +23428,10 @@ index 0000000..cc6846a
+') +')
diff --git a/docker.te b/docker.te diff --git a/docker.te b/docker.te
new file mode 100644 new file mode 100644
index 0000000..18e4ef8 index 0000000..a1e6966
--- /dev/null --- /dev/null
+++ b/docker.te +++ b/docker.te
@@ -0,0 +1,236 @@ @@ -0,0 +1,239 @@
+policy_module(docker, 1.0.0) +policy_module(docker, 1.0.0)
+ +
+######################################## +########################################
@ -23508,6 +23510,7 @@ index 0000000..18e4ef8
+manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
+fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) +fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
+allow docker_t docker_tmpfs_t:chr_file mounton;
+ +
+manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) +manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
+manage_files_pattern(docker_t, docker_share_t, docker_share_t) +manage_files_pattern(docker_t, docker_share_t, docker_share_t)
@ -23640,6 +23643,8 @@ index 0000000..18e4ef8
+ +
+modutils_domtrans_insmod(docker_t) +modutils_domtrans_insmod(docker_t)
+ +
+userdom_stream_connect(docker_t)
+
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(docker_t) + dbus_system_bus_client(docker_t)
+ init_dbus_chat(docker_t) + init_dbus_chat(docker_t)
@ -28542,7 +28547,7 @@ index e39de43..6a6db28 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if diff --git a/gnome.if b/gnome.if
index ab09d61..edd1c94 100644 index ab09d61..d0bfef0 100644
--- a/gnome.if --- a/gnome.if
+++ b/gnome.if +++ b/gnome.if
@@ -1,52 +1,78 @@ @@ -1,52 +1,78 @@
@ -30013,7 +30018,7 @@ index ab09d61..edd1c94 100644
+# +#
+interface(`gnome_create_home_config_dirs',` +interface(`gnome_create_home_config_dirs',`
+ gen_require(` + gen_require(`
+ type cache_home_t; + type config_home_t;
+ ') + ')
+ +
+ allow $1 config_home_t:dir create_dir_perms; + allow $1 config_home_t:dir create_dir_perms;
@ -33047,7 +33052,7 @@ index 0000000..9278f85
+ +
diff --git a/ipa.if b/ipa.if diff --git a/ipa.if b/ipa.if
new file mode 100644 new file mode 100644
index 0000000..c6cf456 index 0000000..deb738f
--- /dev/null --- /dev/null
+++ b/ipa.if +++ b/ipa.if
@@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
@ -33065,7 +33070,7 @@ index 0000000..c6cf456
+# +#
+interface(`ipa_domtrans_otpd',` +interface(`ipa_domtrans_otpd',`
+ gen_require(` + gen_require(`
+ type ipa_otpd_t, ipa_otpd_t_exec_t; + type ipa_otpd_t, ipa_otpd_exec_t;
+ ') + ')
+ +
+ corecmd_search_bin($1) + corecmd_search_bin($1)
@ -53910,7 +53915,7 @@ index 379af96..fac7d7b 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if diff --git a/nut.if b/nut.if
index 57c0161..54bd4d7 100644 index 57c0161..dae3360 100644
--- a/nut.if --- a/nut.if
+++ b/nut.if +++ b/nut.if
@@ -1,39 +1,24 @@ @@ -1,39 +1,24 @@
@ -53966,7 +53971,7 @@ index 57c0161..54bd4d7 100644
- files_search_pids($1) - files_search_pids($1)
- admin_pattern($1, nut_var_run_t) - admin_pattern($1, nut_var_run_t)
+ ps_process_pattern($1, swift_t) + ps_process_pattern($1, nut_t)
') ')
diff --git a/nut.te b/nut.te diff --git a/nut.te b/nut.te
index 5b2cb0d..249224e 100644 index 5b2cb0d..249224e 100644
@ -58594,10 +58599,10 @@ index 0000000..9b8cb6b
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) +/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if diff --git a/pcp.if b/pcp.if
new file mode 100644 new file mode 100644
index 0000000..4f074cb index 0000000..f099f7c
--- /dev/null --- /dev/null
+++ b/pcp.if +++ b/pcp.if
@@ -0,0 +1,100 @@ @@ -0,0 +1,121 @@
+## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary> +## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
+ +
+###################################### +######################################
@ -58698,12 +58703,33 @@ index 0000000..4f074cb
+ corecmd_search_bin($1) + corecmd_search_bin($1)
+ can_exec($1, pcp_pmie_exec_t) + can_exec($1, pcp_pmie_exec_t)
+') +')
+
+########################################
+## <summary>
+## Allow the specified domain to execute pcp_pmlogger
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcp_pmlogger_exec',`
+ gen_require(`
+ type pcp_pmlogger_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pcp_pmlogger_exec_t)
+')
+
diff --git a/pcp.te b/pcp.te diff --git a/pcp.te b/pcp.te
new file mode 100644 new file mode 100644
index 0000000..8ec3a48 index 0000000..d21c5d7
--- /dev/null --- /dev/null
+++ b/pcp.te +++ b/pcp.te
@@ -0,0 +1,164 @@ @@ -0,0 +1,192 @@
+policy_module(pcp, 1.0.0) +policy_module(pcp, 1.0.0)
+ +
+######################################## +########################################
@ -58769,6 +58795,8 @@ index 0000000..8ec3a48
+ +
+dev_read_urand(pcp_domain) +dev_read_urand(pcp_domain)
+ +
+files_read_etc_files(pcp_domain)
+
+fs_getattr_all_fs(pcp_domain) +fs_getattr_all_fs(pcp_domain)
+ +
+auth_read_passwd(pcp_domain) +auth_read_passwd(pcp_domain)
@ -58786,6 +58814,8 @@ index 0000000..8ec3a48
+allow pcp_pmcd_t self:netlink_route_socket create_socket_perms; +allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
+allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
+ +
+auth_use_nsswitch(pcp_pmcd_t)
+
+kernel_read_network_state(pcp_pmcd_t) +kernel_read_network_state(pcp_pmcd_t)
+kernel_read_system_state(pcp_pmcd_t) +kernel_read_system_state(pcp_pmcd_t)
+kernel_read_state(pcp_pmcd_t) +kernel_read_state(pcp_pmcd_t)
@ -58807,9 +58837,9 @@ index 0000000..8ec3a48
+fs_getattr_all_dirs(pcp_pmcd_t) +fs_getattr_all_dirs(pcp_pmcd_t)
+fs_list_cgroup_dirs(pcp_pmcd_t) +fs_list_cgroup_dirs(pcp_pmcd_t)
+ +
+storage_getattr_fixed_disk_dev(pcp_pmcd_t) +logging_send_syslog_msg(pcp_pmcd_t)
+ +
+auth_use_nsswitch(pcp_pmcd_t) +storage_getattr_fixed_disk_dev(pcp_pmcd_t)
+ +
+optional_policy(` +optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t) + dbus_system_bus_client(pcp_pmcd_t)
@ -58826,9 +58856,12 @@ index 0000000..8ec3a48
+ +
+allow pcp_pmproxy_t self:process setsched; +allow pcp_pmproxy_t self:process setsched;
+allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms; +allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
+allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
+ +
+auth_use_nsswitch(pcp_pmproxy_t) +auth_use_nsswitch(pcp_pmproxy_t)
+ +
+logging_send_syslog_msg(pcp_pmproxy_t)
+
+######################################## +########################################
+# +#
+# pcp_pmwebd local policy +# pcp_pmwebd local policy
@ -58842,21 +58875,27 @@ index 0000000..8ec3a48
+# +#
+ +
+allow pcp_pmmgr_t self:process { setpgid }; +allow pcp_pmmgr_t self:process { setpgid };
+ +allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
+allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto; +allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
+ +
+kernel_read_system_state(pcp_pmmgr_t) +kernel_read_system_state(pcp_pmmgr_t)
+ +
+auth_use_nsswitch(pcp_pmmgr_t)
+
+corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t) +corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
+ +
+corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
+corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
+
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t) +corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
+ +
+corecmd_exec_bin(pcp_pmmgr_t) +corecmd_exec_bin(pcp_pmmgr_t)
+ +
+auth_use_nsswitch(pcp_pmmgr_t) +logging_send_syslog_msg(pcp_pmmgr_t)
+ +
+optional_policy(` +optional_policy(`
+ pcp_pmie_exec(pcp_pmmgr_t) + pcp_pmie_exec(pcp_pmmgr_t)
+ pcp_pmlogger_exec(pcp_pmmgr_t)
+') +')
+ +
+######################################## +########################################
@ -58868,11 +58907,35 @@ index 0000000..8ec3a48
+ +
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto; +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+ +
+corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
+
+########################################
+#
+# pcp_pmlogger local policy
+#
+
+allow pcp_pmlogger_t self:process setpgid;
+allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
+
+allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
+
+corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
+corenet_tcp_bind_generic_node(pcp_pmlogger_t)
+
diff --git a/pcscd.if b/pcscd.if diff --git a/pcscd.if b/pcscd.if
index 43d50f9..7f77d32 100644 index 43d50f9..6b1544f 100644
--- a/pcscd.if --- a/pcscd.if
+++ b/pcscd.if +++ b/pcscd.if
@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',` @@ -17,6 +17,8 @@ interface(`pcscd_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+
+ ps_process_pattern(pcscd_t, $1)
')
########################################
@@ -50,7 +52,7 @@ interface(`pcscd_read_pid_files',`
') ')
files_search_pids($1) files_search_pids($1)
@ -58882,7 +58945,7 @@ index 43d50f9..7f77d32 100644
######################################## ########################################
diff --git a/pcscd.te b/pcscd.te diff --git a/pcscd.te b/pcscd.te
index 1fb1964..c5ec0c4 100644 index 1fb1964..36eb845 100644
--- a/pcscd.te --- a/pcscd.te
+++ b/pcscd.te +++ b/pcscd.te
@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") @@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
@ -58925,7 +58988,18 @@ index 1fb1964..c5ec0c4 100644
sysnet_dns_name_resolve(pcscd_t) sysnet_dns_name_resolve(pcscd_t)
optional_policy(` optional_policy(`
@@ -85,3 +82,7 @@ optional_policy(` @@ -73,6 +70,10 @@ optional_policy(`
')
optional_policy(`
+ policykit_dbus_chat(pcscd_t)
+')
+
+optional_policy(`
openct_stream_connect(pcscd_t)
openct_read_pid_files(pcscd_t)
openct_signull(pcscd_t)
@@ -85,3 +86,8 @@ optional_policy(`
optional_policy(` optional_policy(`
udev_read_db(pcscd_t) udev_read_db(pcscd_t)
') ')
@ -58933,6 +59007,7 @@ index 1fb1964..c5ec0c4 100644
+optional_policy(` +optional_policy(`
+ virt_rw_svirt_dev(pcscd_t) + virt_rw_svirt_dev(pcscd_t)
+') +')
+
diff --git a/pegasus.fc b/pegasus.fc diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..d40433a 100644 index dfd46e4..d40433a 100644
--- a/pegasus.fc --- a/pegasus.fc
@ -74056,7 +74131,7 @@ index e240ac9..638d6b4 100644
+ +
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) +/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/redis.if b/redis.if diff --git a/redis.if b/redis.if
index 16c8ecb..9fc0cb9 100644 index 16c8ecb..2640ab5 100644
--- a/redis.if --- a/redis.if
+++ b/redis.if +++ b/redis.if
@@ -1,9 +1,224 @@ @@ -1,9 +1,224 @@
@ -74273,7 +74348,7 @@ index 16c8ecb..9fc0cb9 100644
+ ') + ')
+ +
+ systemd_exec_systemctl($1) + systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1) + systemd_read_fifo_file_passwd_run($1)
+ allow $1 redis_unit_file_t:file read_file_perms; + allow $1 redis_unit_file_t:file read_file_perms;
+ allow $1 redis_unit_file_t:service manage_service_perms; + allow $1 redis_unit_file_t:service manage_service_perms;
+ +
@ -88175,7 +88250,7 @@ index 0000000..94105ee
+') +')
diff --git a/snapper.te b/snapper.te diff --git a/snapper.te b/snapper.te
new file mode 100644 new file mode 100644
index 0000000..838f907 index 0000000..a299f53
--- /dev/null --- /dev/null
+++ b/snapper.te +++ b/snapper.te
@@ -0,0 +1,66 @@ @@ -0,0 +1,66 @@
@ -88193,8 +88268,8 @@ index 0000000..838f907
+type snapperd_log_t; +type snapperd_log_t;
+logging_log_file(snapperd_log_t) +logging_log_file(snapperd_log_t)
+ +
+type snappperd_conf_t; +type snapperd_conf_t;
+files_config_file(snappperd_conf_t) +files_config_file(snapperd_conf_t)
+ +
+type snapperd_data_t; +type snapperd_data_t;
+files_type(snapperd_data_t) +files_type(snapperd_data_t)
@ -98851,7 +98926,7 @@ index facdee8..fddb027 100644
+ virt_stream_connect($1) + virt_stream_connect($1)
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index f03dcf5..81e9d56 100644 index f03dcf5..2a43838 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,150 +1,197 @@ @@ -1,150 +1,197 @@
@ -100188,7 +100263,7 @@ index f03dcf5..81e9d56 100644
+# virt_lxc local policy +# virt_lxc local policy
# #
+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; +allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
+allow virtd_lxc_t self:process { transition setpgid signal_perms }; +allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms };
+allow virtd_lxc_t self:capability2 compromise_kernel; +allow virtd_lxc_t self:capability2 compromise_kernel;
-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
@ -100971,7 +101046,7 @@ index 0000000..5726cdb
+/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0) +/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0)
diff --git a/vmtools.if b/vmtools.if diff --git a/vmtools.if b/vmtools.if
new file mode 100644 new file mode 100644
index 0000000..044be2f index 0000000..82fc528
--- /dev/null --- /dev/null
+++ b/vmtools.if +++ b/vmtools.if
@@ -0,0 +1,78 @@ @@ -0,0 +1,78 @@
@ -101042,7 +101117,7 @@ index 0000000..044be2f
+ ps_process_pattern($1, vmtools_t) + ps_process_pattern($1, vmtools_t)
+ +
+ tunable_policy(`deny_ptrace',`',` + tunable_policy(`deny_ptrace',`',`
+ allow $1 ninfod_t:process ptrace; + allow $1 vmtools_t:process ptrace;
+ ') + ')
+ +
+ vmtools_systemctl($1) + vmtools_systemctl($1)
@ -105172,7 +105247,7 @@ index 0000000..ceaa219
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
diff --git a/zoneminder.if b/zoneminder.if diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644 new file mode 100644
index 0000000..d02a6f4 index 0000000..e0604c7
--- /dev/null --- /dev/null
+++ b/zoneminder.if +++ b/zoneminder.if
@@ -0,0 +1,374 @@ @@ -0,0 +1,374 @@
@ -105385,7 +105460,7 @@ index 0000000..d02a6f4
+# +#
+interface(`zoneminder_manage_lib_sock_files',` +interface(`zoneminder_manage_lib_sock_files',`
+ gen_require(` + gen_require(`
+ type sock_var_lib_t; + type zoneminder_sock_var_lib_t;
+ ') + ')
+ files_search_var_lib($1) + files_search_var_lib($1)
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) + manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 23%{?dist} Release: 24%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -578,7 +578,36 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Mon Feb 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-23 * Fri Feb 14 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-24
- Dontaudit rendom domains listing /proc and hittping system_map_t
- devicekit_power sends out a signal to all processes on the message bus when power is going down
- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
- systemd_tmpfiles_t needs to _setcheckreqprot
- Add unconfined_server to be run by init_t when it executes files labeled bin_t, or usr_t, allow all domains to communicate with it
- Fixed snapperd policy
- Fixed broken interfaces
- Should use rw_socket_perms rather then sock_file on a unix_stream_socket
- Fixed bugsfor pcp policy
- pcscd seems to be using policy kit and looking at domains proc data that transition to it
- Allow dbus_system_domains to be started by init
- Fixed some interfaces
- Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs
- Allow udisks to connect to D-Bus
- Allow spamd to connect to spamd port
- Fix syntax error in snapper.te
- Dontaudit osad to search gconf home files
- Allow rhsmcertd to manage /etc/sysconf/rhn director
- Fix pcp labeling to accept /usr/bin for all daemon binaries
- Fix mcelog_read_log() interface
- Allow iscsid to manage iscsi lib files
- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
- Allow ABRT to read puppet certs
- Allow virtd_lxc_t to specify the label of a socket
- New version of docker requires more access
* Mon Feb 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-23
- Addopt corenet rules for unbound-anchor to rpm_script_t - Addopt corenet rules for unbound-anchor to rpm_script_t
- Allow runuser to send send audit messages. - Allow runuser to send send audit messages.
- Allow postfix-local to search .forward in munin lib dirs - Allow postfix-local to search .forward in munin lib dirs