From 8f800d48df9cca319f92162fd3695e6fdfd9881b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 23 Mar 2009 14:56:43 +0000 Subject: [PATCH] trunk: 14 patches from dan. --- policy/modules/kernel/corenetwork.te.in | 3 +- policy/modules/services/apcupsd.fc | 2 - policy/modules/services/apcupsd.te | 2 +- policy/modules/services/avahi.if | 18 ++++++++ policy/modules/services/avahi.te | 2 +- policy/modules/services/bluetooth.fc | 1 + policy/modules/services/bluetooth.if | 5 ++- policy/modules/services/bluetooth.te | 9 ++-- policy/modules/services/cvs.if | 4 +- policy/modules/services/cvs.te | 2 +- policy/modules/services/dnsmasq.fc | 2 + policy/modules/services/dnsmasq.if | 57 +++++++++++++++++++++++++ policy/modules/services/dnsmasq.te | 12 +++--- policy/modules/services/kerberos.fc | 1 + policy/modules/services/kerberos.te | 3 +- policy/modules/services/openvpn.fc | 1 + policy/modules/services/openvpn.if | 36 ++++++++++++++++ policy/modules/services/openvpn.te | 12 +++++- policy/modules/services/pcscd.fc | 1 + policy/modules/services/pcscd.te | 13 +++++- policy/modules/services/radvd.te | 4 +- policy/modules/services/rlogin.te | 18 ++++++-- policy/modules/services/rsync.te | 6 ++- policy/modules/services/stunnel.fc | 3 +- policy/modules/services/stunnel.te | 5 ++- policy/modules/services/sysstat.fc | 2 +- policy/modules/services/sysstat.te | 5 ++- policy/modules/services/uucp.fc | 2 + policy/modules/services/uucp.te | 9 +++- 29 files changed, 204 insertions(+), 36 deletions(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 203e848f..b9c19654 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.11.4) +policy_module(corenetwork, 1.11.5) ######################################## # @@ -118,6 +118,7 @@ network_port(jabber_interserver, tcp,5269,s0) network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) +network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc index 36c832ea..cd07b96e 100644 --- a/policy/modules/services/apcupsd.fc +++ b/policy/modules/services/apcupsd.fc @@ -1,8 +1,6 @@ /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) -ifdef(`distro_debian',` /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) -') /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index 3cea8fbe..ee8cf513 100644 --- a/policy/modules/services/apcupsd.te +++ b/policy/modules/services/apcupsd.te @@ -1,5 +1,5 @@ -policy_module(apcupsd, 1.5.2) +policy_module(apcupsd, 1.5.3) ######################################## # diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if index 74823c8f..a8ecaf3a 100644 --- a/policy/modules/services/avahi.if +++ b/policy/modules/services/avahi.if @@ -55,6 +55,24 @@ interface(`avahi_kill',` allow $1 avahi_t:process sigkill; ') +######################################## +## +## Send avahi a signull +## +## +## +## Domain allowed access. +## +## +# +interface(`avahi_signull',` + gen_require(` + type avahi_t; + ') + + allow $1 avahi_t:process signull; +') + ######################################## ## ## Send and receive messages from diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 12e4a8cb..d1c43f95 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -1,5 +1,5 @@ -policy_module(avahi, 1.10.2) +policy_module(avahi, 1.10.3) ######################################## # diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc index caa93384..dc687e6d 100644 --- a/policy/modules/services/bluetooth.fc +++ b/policy/modules/services/bluetooth.fc @@ -15,6 +15,7 @@ /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 835c5763..f6028fde 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -173,7 +173,7 @@ interface(`bluetooth_dontaudit_read_helper_state',` interface(`bluetooth_admin',` gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t; type bluetooth_conf_t, bluetooth_conf_rw_t; type bluetooth_initrc_exec_t; ') @@ -196,6 +196,9 @@ interface(`bluetooth_admin',` admin_pattern($1, bluetooth_conf_t) admin_pattern($1, bluetooth_conf_rw_t) + files_list_spool($1) + admin_pattern($1, bluetooth_spool_t) + files_list_var_lib($1) admin_pattern($1, bluetooth_var_lib_t) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 227540b3..c5d67be8 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth, 3.1.2) +policy_module(bluetooth, 3.1.3) ######################################## # @@ -93,6 +93,7 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(bluetooth_t) kernel_read_system_state(bluetooth_t) +kernel_read_network_state(bluetooth_t) corenet_all_recvfrom_unlabeled(bluetooth_t) corenet_all_recvfrom_netlabel(bluetooth_t) @@ -147,10 +148,10 @@ optional_policy(` optional_policy(` cups_dbus_chat(bluetooth_t) ') -') -optional_policy(` - nis_use_ypbind(bluetooth_t) + optional_policy(` + hal_dbus_chat(bluetooth_t) + ') ') optional_policy(` diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index 718d0aaa..c43ff4c1 100644 --- a/policy/modules/services/cvs.if +++ b/policy/modules/services/cvs.if @@ -15,7 +15,9 @@ interface(`cvs_read_data',` type cvs_data_t; ') - allow $1 cvs_data_t:file { getattr read }; + list_dirs_pattern($1, cvs_data_t, cvs_data_t) + read_files_pattern($1, cvs_data_t, cvs_data_t) + read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) ') ######################################## diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 09b9969d..0918b43a 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -1,5 +1,5 @@ -policy_module(cvs, 1.7.2) +policy_module(cvs, 1.7.3) ######################################## # diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc index 5b9d6c04..a328ceab 100644 --- a/policy/modules/services/dnsmasq.fc +++ b/policy/modules/services/dnsmasq.fc @@ -4,4 +4,6 @@ /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if index 6c2dd405..016d1918 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -39,6 +39,25 @@ interface(`dnsmasq_signal',` allow $1 dnsmasq_t:process signal; ') +######################################## +## +## Send dnsmasq a signull +## +## +## +## Domain allowed access. +## +## +# +# +interface(`dnsmasq_signull',` + gen_require(` + type dnsmasq_t; + ') + + allow $1 dnsmasq_t:process signull; +') + ######################################## ## ## Send dnsmasq a kill signal. @@ -58,6 +77,44 @@ interface(`dnsmasq_kill',` allow $1 dnsmasq_t:process sigkill; ') +######################################## +## +## Delete dnsmasq pid files +## +## +## +## Domain allowed access. +## +## +# +# +interface(`dnsmasq_delete_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + + delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +') + +######################################## +## +## Read dnsmasq pid files +## +## +## +## Domain allowed access. +## +## +# +# +interface(`dnsmasq_read_pid_files',` + gen_require(` + type dnsmasq_var_run_t; + ') + + read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) +') + ######################################## ## ## All of the rules required to administrate diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 26f8ba37..bb77a2f2 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -1,5 +1,5 @@ -policy_module(dnsmasq, 1.7.1) +policy_module(dnsmasq, 1.7.2) ######################################## # @@ -69,23 +69,20 @@ domain_use_interactive_fds(dnsmasq_t) # allow access to dnsmasq.conf files_read_etc_files(dnsmasq_t) +files_read_etc_runtime_files(dnsmasq_t) fs_getattr_all_fs(dnsmasq_t) fs_search_auto_mountpoints(dnsmasq_t) +auth_use_nsswitch(dnsmasq_t) + logging_send_syslog_msg(dnsmasq_t) miscfiles_read_localization(dnsmasq_t) -sysnet_read_config(dnsmasq_t) - userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -optional_policy(` - nis_use_ypbind(dnsmasq_t) -') - optional_policy(` seutil_sigchld_newrole(dnsmasq_t) ') @@ -96,4 +93,5 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) + virt_read_pid_files(dnsmasq_t) ') diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc index 4a5974b9..80468315 100644 --- a/policy/modules/services/kerberos.fc +++ b/policy/modules/services/kerberos.fc @@ -19,6 +19,7 @@ /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) +/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) /var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index f5f46e47..a66fb18b 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -1,5 +1,5 @@ -policy_module(kerberos, 1.9.2) +policy_module(kerberos, 1.9.3) ######################################## # @@ -290,6 +290,7 @@ corenet_tcp_sendrecv_generic_if(kpropd_t) corenet_tcp_sendrecv_generic_node(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) corenet_tcp_bind_generic_node(kpropd_t) +corenet_tcp_bind_kprop_port(kpropd_t) dev_read_urand(kpropd_t) diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc index 405b5bc7..9c186d2c 100644 --- a/policy/modules/services/openvpn.fc +++ b/policy/modules/services/openvpn.fc @@ -2,6 +2,7 @@ # /etc # /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) +/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) # diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if index 18d95e6e..aab62974 100644 --- a/policy/modules/services/openvpn.if +++ b/policy/modules/services/openvpn.if @@ -44,6 +44,24 @@ interface(`openvpn_run',` role $2 types openvpn_t; ') +######################################## +## +## Send OPENVPN clients the kill signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`openvpn_kill',` + gen_require(` + type openvpn_t; + ') + + allow $1 openvpn_t:process sigkill; +') + ######################################## ## ## Send generic signals to OPENVPN clients. @@ -62,6 +80,24 @@ interface(`openvpn_signal',` allow $1 openvpn_t:process signal; ') +######################################## +## +## Send signulls to OPENVPN clients. +## +## +## +## Domain allowed access. +## +## +# +interface(`openvpn_signull',` + gen_require(` + type openvpn_t; + ') + + allow $1 openvpn_t:process signull; +') + ######################################## ## ## Allow the specified domain to read diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index 7ddf99e9..fc95508f 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -1,5 +1,5 @@ -policy_module(openvpn, 1.7.2) +policy_module(openvpn, 1.7.3) ######################################## # @@ -22,6 +22,9 @@ init_daemon_domain(openvpn_t, openvpn_exec_t) type openvpn_etc_t; files_config_file(openvpn_etc_t) +type openvpn_etc_rw_t; +files_config_file(openvpn_etc_rw_t) + type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) @@ -40,6 +43,7 @@ files_pid_file(openvpn_var_run_t) allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; allow openvpn_t self:process { signal getsched }; +allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -47,11 +51,13 @@ allow openvpn_t self:udp_socket create_socket_perms; allow openvpn_t self:tcp_socket server_stream_socket_perms; allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; -allow openvpn_t openvpn_etc_t:dir list_dir_perms; can_exec(openvpn_t, openvpn_etc_t) read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) +manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) +filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) + allow openvpn_t openvpn_var_log_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) @@ -99,6 +105,8 @@ miscfiles_read_certs(openvpn_t) sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) +sysnet_write_config(openvpn_t) +sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc index f2df0fc7..87f17e8d 100644 --- a/policy/modules/services/pcscd.fc +++ b/policy/modules/services/pcscd.fc @@ -1,5 +1,6 @@ /var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0) /var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0) /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) +/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) /usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0) diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index adefaaeb..ed9e17f5 100644 --- a/policy/modules/services/pcscd.te +++ b/policy/modules/services/pcscd.te @@ -1,5 +1,5 @@ -policy_module(pcscd, 1.4.2) +policy_module(pcscd, 1.4.3) ######################################## # @@ -27,9 +27,10 @@ allow pcscd_t self:unix_stream_socket create_stream_socket_perms; allow pcscd_t self:unix_dgram_socket create_socket_perms; allow pcscd_t self:tcp_socket create_stream_socket_perms; +manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) -files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file }) +files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) corenet_all_recvfrom_unlabeled(pcscd_t) corenet_all_recvfrom_netlabel(pcscd_t) @@ -56,6 +57,14 @@ miscfiles_read_localization(pcscd_t) sysnet_dns_name_resolve(pcscd_t) +optional_policy(` + dbus_system_bus_client(pcscd_t) + + optional_policy(` + hal_dbus_chat(pcscd_t) + ') +') + optional_policy(` openct_stream_connect(pcscd_t) openct_read_pid_files(pcscd_t) diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te index b37971ce..4f205320 100644 --- a/policy/modules/services/radvd.te +++ b/policy/modules/services/radvd.te @@ -1,5 +1,5 @@ -policy_module(radvd, 1.10.2) +policy_module(radvd, 1.10.3) ######################################## # @@ -22,7 +22,7 @@ files_config_file(radvd_etc_t) # # Local policy # -allow radvd_t self:capability { setgid setuid net_raw }; +allow radvd_t self:capability { setgid setuid net_raw net_admin }; dontaudit radvd_t self:capability sys_tty_config; allow radvd_t self:process signal_perms; allow radvd_t self:unix_dgram_socket create_socket_perms; diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te index b05c1a86..2b87f325 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -1,5 +1,5 @@ -policy_module(rlogin, 1.8.2) +policy_module(rlogin, 1.8.3) ######################################## # @@ -90,9 +90,21 @@ userdom_read_user_home_content_files(rlogind_t) remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) +tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(rlogind_t) + fs_read_nfs_files(rlogind_t) + fs_read_nfs_symlinks(rlogind_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(rlogind_t) + fs_read_cifs_files(rlogind_t) + fs_read_cifs_symlinks(rlogind_t) +') + optional_policy(` - kerberos_use(rlogind_t) - kerberos_read_keytab(rlogind_t) + kerberos_keytab_template(rlogind, rlogind_t) + kerberos_manage_host_rcache(rlogind_t) ') optional_policy(` diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index 9367c216..f9e9396a 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -1,5 +1,5 @@ -policy_module(rsync, 1.8.2) +policy_module(rsync, 1.8.3) ######################################## # @@ -119,5 +119,9 @@ optional_policy(` tunable_policy(`rsync_export_all_ro',` fs_read_noxattr_fs_files(rsync_t) + auth_read_all_dirs_except_shadow(rsync_t) auth_read_all_files_except_shadow(rsync_t) + auth_read_all_symlinks_except_shadow(rsync_t) + auth_tunable_read_shadow(rsync_t) ') +auth_can_read_shadow_passwords(rsync_t) diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc index 2806b91c..c3aec89f 100644 --- a/policy/modules/services/stunnel.fc +++ b/policy/modules/services/stunnel.fc @@ -1,6 +1,7 @@ - /etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0) +/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) + /usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 07929884..43523e91 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -1,5 +1,5 @@ -policy_module(stunnel, 1.8.2) +policy_module(stunnel, 1.8.3) ######################################## # @@ -54,6 +54,8 @@ kernel_read_kernel_sysctls(stunnel_t) kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) +corecmd_exec_bin(stunnel_t) + corenet_all_recvfrom_unlabeled(stunnel_t) corenet_all_recvfrom_netlabel(stunnel_t) corenet_tcp_sendrecv_generic_if(stunnel_t) @@ -105,6 +107,7 @@ ifdef(`distro_gentoo', ` dev_read_urand(stunnel_t) files_read_etc_files(stunnel_t) + files_read_etc_runtime_files(stunnel_t) files_search_home(stunnel_t) optional_policy(` diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc index b319f6af..08d999cf 100644 --- a/policy/modules/services/sysstat.fc +++ b/policy/modules/services/sysstat.fc @@ -1,6 +1,6 @@ /usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) -/usr/lib(64)?/sa/sadc -- gen_context(system_u:object_r:sysstat_exec_t,s0) +/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) /usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index 2a81c8e6..7d769bc4 100644 --- a/policy/modules/services/sysstat.te +++ b/policy/modules/services/sysstat.te @@ -1,5 +1,5 @@ -policy_module(sysstat, 1.4.0) +policy_module(sysstat, 1.4.1) ######################################## # @@ -19,13 +19,14 @@ logging_log_file(sysstat_log_t) # Local policy # -allow sysstat_t self:capability sys_resource; +allow sysstat_t self:capability { sys_resource sys_tty_config }; dontaudit sysstat_t self:capability sys_admin; allow sysstat_t self:fifo_file rw_fifo_file_perms; can_exec(sysstat_t, sysstat_exec_t) manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) +read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) # get info from /proc diff --git a/policy/modules/services/uucp.fc b/policy/modules/services/uucp.fc index 0ddfd096..e1c0d8d8 100644 --- a/policy/modules/services/uucp.fc +++ b/policy/modules/services/uucp.fc @@ -6,4 +6,6 @@ /var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) /var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0) +/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0) + /var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te index e5999d67..63c9e594 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -1,5 +1,5 @@ -policy_module(uucp, 1.9.2) +policy_module(uucp, 1.9.3) ######################################## # @@ -10,6 +10,9 @@ type uucpd_exec_t; inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) role system_r types uucpd_t; +type uucpd_lock_t; +files_lock_file(uucpd_lock_t) + type uucpd_tmp_t; files_tmp_file(uucpd_tmp_t) @@ -58,6 +61,10 @@ manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t) uucp_manage_spool(uucpd_t) +manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) +manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t) +files_search_locks(uucpd_t) + manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t) files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })