- Change usbmuxd_t to dontaudit attempts to read chr_file

- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
This commit is contained in:
Miroslav Grepl 2011-06-30 17:55:41 +02:00
parent 81fbb0fccd
commit 975370d58e
3 changed files with 596 additions and 62 deletions

View File

@ -2410,3 +2410,10 @@ dspam = module
# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon
#
lldpad = module
# Layer: services
# Module: rhsmcertd
#
# Subscription Management Certificate Daemon policy
#
rhsmcertd = module

View File

@ -2359,7 +2359,7 @@ index d0604cf..3089f30 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index 8966ec9..f4e6c4b 100644
index 8966ec9..8fbe943 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@ -2406,7 +2406,7 @@ index 8966ec9..f4e6c4b 100644
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
@@ -54,10 +58,20 @@ logging_send_audit_msgs(shutdown_t)
@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t)
miscfiles_read_localization(shutdown_t)
optional_policy(`
@ -2423,6 +2423,10 @@ index 8966ec9..f4e6c4b 100644
+ oddjob_sigchld(shutdown_t)
+')
+
+optional_policy(`
+ rhev_sigchld_agentd(shutdown_t)
+')
+
+optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
+ xserver_xdm_append_log(shutdown_t)
@ -8487,10 +8491,10 @@ index 0000000..6efdeca
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
index 0000000..d6d2f78
index 0000000..61a5e86
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
@@ -0,0 +1,492 @@
@@ -0,0 +1,493 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@ -8667,6 +8671,7 @@ index 0000000..d6d2f78
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain self:netlink_selinux_socket { create_socket_perms };
+
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
@ -9169,7 +9174,7 @@ index 7590165..9a7ebe5 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
index 3cfb128..de71ea8 100644
index 3cfb128..cfeed29 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
@@ -11,7 +11,6 @@
@ -9197,7 +9202,18 @@ index 3cfb128..de71ea8 100644
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
@@ -179,3 +179,75 @@ interface(`telepathy_salut_stream_connect', `
@@ -78,6 +78,10 @@ template(`telepathy_role', `
dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
')
+ optional_policy(`
+ telepathy_dbus_chat($2)
+ ')
+
########################################
## <summary>
## Stream connect to Telepathy Gabble
@@ -179,3 +183,75 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
@ -9274,7 +9290,7 @@ index 3cfb128..de71ea8 100644
+ ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 2533ea0..f41eb44 100644
index 2533ea0..f605e0a 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
@ -9301,7 +9317,18 @@ index 2533ea0..f41eb44 100644
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
@@ -168,6 +178,11 @@ tunable_policy(`use_samba_home_dirs',`
@@ -112,6 +122,10 @@ optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
')
+optional_policy(`
+ gnome_read_home_config(telepathy_gabble_t)
+')
+
#######################################
#
# Telepathy Idle local policy.
@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_logger_t)
')
@ -9313,7 +9340,7 @@ index 2533ea0..f41eb44 100644
#######################################
#
# Telepathy Mission-Control local policy.
@@ -176,6 +191,7 @@ tunable_policy(`use_samba_home_dirs',`
@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@ -9321,7 +9348,7 @@ index 2533ea0..f41eb44 100644
dev_read_rand(telepathy_mission_control_t)
@@ -194,6 +210,12 @@ tunable_policy(`use_samba_home_dirs',`
@@ -194,6 +214,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_mission_control_t)
')
@ -9334,7 +9361,7 @@ index 2533ea0..f41eb44 100644
#######################################
#
# Telepathy Butterfly and Haze local policy.
@@ -205,8 +227,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
@@ -205,8 +231,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@ -9346,7 +9373,7 @@ index 2533ea0..f41eb44 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
@@ -246,6 +271,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
@@ -246,6 +275,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@ -9357,7 +9384,15 @@ index 2533ea0..f41eb44 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
@@ -376,5 +405,23 @@ optional_policy(`
@@ -365,6 +398,7 @@ dev_read_urand(telepathy_domain)
kernel_read_system_state(telepathy_domain)
+fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
auth_use_nsswitch(telepathy_domain)
@@ -376,5 +410,23 @@ optional_policy(`
')
optional_policy(`
@ -9374,13 +9409,13 @@ index 2533ea0..f41eb44 100644
')
+
+# Just for F15
+#optional_policy(`
+# gen_require(`
+# role unconfined_r;
+# ')
+#
+# role unconfined_r types telepathy_domain;
+#')
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ role unconfined_r types telepathy_domain;
+')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@ -18486,7 +18521,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index e88b95f..4b5f106 100644
index e88b95f..0eb55db 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@ -18557,7 +18592,7 @@ index e88b95f..4b5f106 100644
')
')
@@ -76,23 +87,98 @@ optional_policy(`
@@ -76,23 +87,102 @@ optional_policy(`
')
optional_policy(`
@ -18575,10 +18610,9 @@ index e88b95f..4b5f106 100644
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
@ -18596,11 +18630,16 @@ index e88b95f..4b5f106 100644
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
')
optional_policy(`
- mozilla_role(xguest_r, xguest_t)
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
+')
+
+optional_policy(`
+ pcscd_read_pub_files(xguest_usertype)
+ pcscd_stream_connect(xguest_usertype)
+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
')
optional_policy(`
@ -18643,7 +18682,7 @@ index e88b95f..4b5f106 100644
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
')
+ ')
+
+ #optional_policy(`
+ # telepathy_dbus_session_role(xguest_r, xguest_t)
@ -18653,7 +18692,7 @@ index e88b95f..4b5f106 100644
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
+ ')
')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
@ -24050,14 +24089,17 @@ index 6077339..d10acd2 100644
dev_read_lvm_control(clogd_t)
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
index 049e2b6..e500fa5 100644
index 049e2b6..dcc7de8 100644
--- a/policy/modules/services/cmirrord.fc
+++ b/policy/modules/services/cmirrord.fc
@@ -1,3 +1,4 @@
@@ -1,5 +1,6 @@
+
/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
-/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
index f8463c0..bed51fb 100644
--- a/policy/modules/services/cmirrord.if
@ -24536,12 +24578,15 @@ index 0258b48..8535cc6 100644
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 74505cc..101c266 100644
index 74505cc..a58903f 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -43,6 +43,7 @@ files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -41,8 +41,9 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
kernel_getattr_proc_files(colord_t)
-kernel_getattr_proc_files(colord_t)
+kernel_read_system_state(colord_t)
kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
@ -24767,11 +24812,14 @@ index e67a003..192332a 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
index 3a6d7eb..2098ee9 100644
index 3a6d7eb..3f0e601 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
@@ -3,6 +3,7 @@
@@ -1,8 +1,10 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
@ -35836,7 +35884,7 @@ index f17583b..6b17513 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index e9c0982..f11e4f2 100644
index e9c0982..14af30a 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@ -35897,7 +35945,7 @@ index e9c0982..f11e4f2 100644
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
@@ -252,7 +289,7 @@ interface(`mysql_write_log',`
@@ -252,12 +289,12 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
@ -35906,7 +35954,38 @@ index e9c0982..f11e4f2 100644
')
######################################
@@ -329,10 +366,9 @@ interface(`mysql_search_pid_files',`
## <summary>
-## Execute MySQL server in the mysql domain.
+## Execute MySQL safe script in the mysql safe domain.
## </summary>
## <param name="domain">
## <summary>
@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',`
domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
')
+######################################
+## <summary>
+## Execute MySQL_safe in the coller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_safe_exec',`
+ gen_require(`
+ type mysqld_safe_exec_t;
+ ')
+
+ can_exec($1, mysqld_safe_exec_t)
+')
+
#####################################
## <summary>
## Read MySQL PID files.
@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@ -35920,7 +35999,7 @@ index e9c0982..f11e4f2 100644
')
allow $1 mysqld_t:process { ptrace signal_perms };
@@ -343,13 +379,19 @@ interface(`mysql_admin',`
@@ -343,13 +397,19 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@ -39207,7 +39286,7 @@ index 69c331e..0555635 100644
auth_rw_login_records(portslave_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
index a3e85c9..cb05623 100644
index a3e85c9..6b97fa5 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -1,5 +1,6 @@
@ -39218,7 +39297,7 @@ index a3e85c9..cb05623 100644
ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@@ -16,22 +17,24 @@ ifdef(`distro_redhat', `
@@ -16,22 +17,23 @@ ifdef(`distro_redhat', `
/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
', `
@ -39252,11 +39331,10 @@ index a3e85c9..cb05623 100644
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+')
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -42,9 +45,10 @@ ifdef(`distro_redhat', `
@@ -42,9 +44,10 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@ -40352,7 +40430,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 2af42e7..79b1678 100644
index 2af42e7..53f977a 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@ -40390,7 +40468,7 @@ index 2af42e7..79b1678 100644
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
@@ -84,28 +84,28 @@ allow pppd_t self:packet_socket create_socket_perms;
@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
@ -40409,6 +40487,7 @@ index 2af42e7..79b1678 100644
-allow pppd_t pppd_lock_t:file manage_file_perms;
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+files_search_locks(pppd_t)
-allow pppd_t pppd_log_t:file manage_file_perms;
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
@ -40425,7 +40504,7 @@ index 2af42e7..79b1678 100644
allow pppd_t pptp_t:process signal;
@@ -166,6 +166,8 @@ init_dontaudit_write_utmp(pppd_t)
@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@ -40434,7 +40513,7 @@ index 2af42e7..79b1678 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
@@ -176,7 +178,7 @@ sysnet_exec_ifconfig(pppd_t)
@@ -176,7 +179,7 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@ -40443,7 +40522,7 @@ index 2af42e7..79b1678 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
@@ -194,6 +196,8 @@ optional_policy(`
@@ -194,6 +197,8 @@ optional_policy(`
optional_policy(`
mta_send_mail(pppd_t)
@ -40452,7 +40531,7 @@ index 2af42e7..79b1678 100644
')
optional_policy(`
@@ -243,9 +247,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@ -43028,10 +43107,10 @@ index 0000000..4e7605a
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
diff --git a/policy/modules/services/rhev.if b/policy/modules/services/rhev.if
new file mode 100644
index 0000000..88f6a9e
index 0000000..bf11e25
--- /dev/null
+++ b/policy/modules/services/rhev.if
@@ -0,0 +1,58 @@
@@ -0,0 +1,76 @@
+## <summary>rhev polic module contains policies for rhev apps</summary>
+
+#####################################
@ -43090,6 +43169,24 @@ index 0000000..88f6a9e
+ files_search_pids($1)
+ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
+')
+
+######################################
+## <summary>
+## Send sigchld to rhev-agentd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`rhev_sigchld_agentd',`
+ gen_require(`
+ type rhev_agentd_t;
+ ')
+
+ allow $1 rhev_agentd_t:process sigchld;
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
index 0000000..bc97a21
@ -43204,6 +43301,400 @@ index 0f262a7..4d10897 100644
term_create_pty(rhgb_t, rhgb_devpts_t)
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc
new file mode 100644
index 0000000..5094d93
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.fc
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0)
+
+/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+
+/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
+
+/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0)
+
+/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
+
+/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
new file mode 100644
index 0000000..811c52e
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.if
@@ -0,0 +1,305 @@
+
+## <summary>Subscription Management Certificate Daemon policy</summary>
+
+########################################
+## <summary>
+## Transition to rhsmcertd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_domtrans',`
+ gen_require(`
+ type rhsmcertd_t, rhsmcertd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t)
+')
+
+
+########################################
+## <summary>
+## Execute rhsmcertd server in the rhsmcertd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_initrc_domtrans',`
+ gen_require(`
+ type rhsmcertd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t)
+')
+
+
+########################################
+## <summary>
+## Read rhsmcertd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhsmcertd_read_log',`
+ gen_require(`
+ type rhsmcertd_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+## Append to rhsmcertd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_append_log',`
+ gen_require(`
+ type rhsmcertd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+## Manage rhsmcertd log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_manage_log',`
+ gen_require(`
+ type rhsmcertd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+ manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+ manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
+')
+
+########################################
+## <summary>
+## Search rhsmcertd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_search_lib',`
+ gen_require(`
+ type rhsmcertd_var_lib_t;
+ ')
+
+ allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read rhsmcertd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_read_lib_files',`
+ gen_require(`
+ type rhsmcertd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rhsmcertd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_manage_lib_files',`
+ gen_require(`
+ type rhsmcertd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage rhsmcertd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_manage_lib_dirs',`
+ gen_require(`
+ type rhsmcertd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## Read rhsmcertd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_read_pid_files',`
+ gen_require(`
+ type rhsmcertd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 rhsmcertd_var_run_t:file read_file_perms;
+')
+
+####################################
+## <summary>
+## Connect to rhsmcertd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_stream_connect',`
+ gen_require(`
+ type rhsmcertd_t, rhsmcertd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t)
+')
+
+#######################################
+## <summary>
+## Send and receive messages from
+## rhsmcertd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_dbus_chat',`
+ gen_require(`
+ type rhsmcertd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rhsmcertd_t:dbus send_msg;
+ allow rhsmcertd_t $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+## Dontaudit Send and receive messages from
+## rhsmcertd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhsmcertd_dontaudit_dbus_chat',`
+ gen_require(`
+ type rhsmcertd_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 rhsmcertd_t:dbus send_msg;
+ dontaudit rhsmcertd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rhsmcertd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rhsmcertd_admin',`
+ gen_require(`
+ type rhsmcertd_t;
+ type rhsmcertd_initrc_exec_t;
+ type rhsmcertd_log_t;
+ type rhsmcertd_var_lib_t;
+ type rhsmcertd_var_run_t;
+ ')
+
+ allow $1 rhsmcertd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rhsmcertd_t)
+
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_search_logs($1)
+ admin_pattern($1, rhsmcertd_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, rhsmcertd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
+')
+
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
index 0000000..19fe6b0
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
@@ -0,0 +1,59 @@
+policy_module(rhsmcertd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhsmcertd_t;
+type rhsmcertd_exec_t;
+init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t)
+
+permissive rhsmcertd_t;
+
+type rhsmcertd_initrc_exec_t;
+init_script_file(rhsmcertd_initrc_exec_t)
+
+type rhsmcertd_log_t;
+logging_log_file(rhsmcertd_log_t)
+
+type rhsmcertd_lock_t;
+files_lock_file(rhsmcertd_lock_t)
+
+type rhsmcertd_var_lib_t;
+files_type(rhsmcertd_var_lib_t)
+
+type rhsmcertd_var_run_t;
+files_pid_file(rhsmcertd_var_run_t)
+
+########################################
+#
+# rhsmcertd local policy
+#
+
+allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
+allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+
+manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
+files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+
+kernel_read_system_state(rhsmcertd_t)
+
+corecmd_exec_bin(rhsmcertd_t)
+
+dev_read_urand(rhsmcertd_t)
+
+files_read_etc_files(rhsmcertd_t)
+files_read_usr_files(rhsmcertd_t)
+
+miscfiles_read_localization(rhsmcertd_t)
+miscfiles_read_certs(rhsmcertd_t)
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@ -48137,6 +48628,18 @@ index c2cf97e..037a1e8 100644
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te
index 4440aa6..34ffbfd 100644
--- a/policy/modules/services/usbmuxd.te
+++ b/policy/modules/services/usbmuxd.te
@@ -40,3 +40,7 @@ miscfiles_read_localization(usbmuxd_t)
auth_use_nsswitch(usbmuxd_t)
logging_send_syslog_msg(usbmuxd_t)
+
+optional_policy(`
+ virt_dontaudit_read_chr_dev(usbmuxd_t)
+')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index d4349e9..4d112ba 100644
--- a/policy/modules/services/uucp.te
@ -48497,7 +49000,7 @@ index 2124b6a..9682c44 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 7c5d8d8..7e8e54f 100644
index 7c5d8d8..5c0a7a4 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,14 +13,15 @@
@ -48765,7 +49268,7 @@ index 7c5d8d8..7e8e54f 100644
')
allow $1 virtd_t:process { ptrace signal_perms };
@@ -515,4 +590,170 @@ interface(`virt_admin',`
@@ -515,4 +590,188 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@ -48935,6 +49438,24 @@ index 7c5d8d8..7e8e54f 100644
+
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to Read virt_image_type devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_chr_dev',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3eca020..4dec4ad 100644
@ -52264,7 +52785,7 @@ index 7f88f5f..bd6493d 100644
sysnet_dns_name_resolve(zabbix_t)
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
index 3defaa1..7fc57b2 100644
index 3defaa1..2ad2488 100644
--- a/policy/modules/services/zarafa.fc
+++ b/policy/modules/services/zarafa.fc
@@ -8,7 +8,8 @@
@ -52272,8 +52793,8 @@ index 3defaa1..7fc57b2 100644
/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
@ -56143,7 +56664,7 @@ index 831b909..57064ad 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index b6ec597..7354066 100644
index b6ec597..eedd444 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
@ -56247,7 +56768,7 @@ index b6ec597..7354066 100644
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 syslog;
# setpgid for metalog

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -449,6 +449,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Thu Jun 30 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-2
- Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
* Mon Jun 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-1
- Update to upstream