diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 570ef7a7..ac2e6093 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -114,6 +114,7 @@ files_tmp_file(squirrelmail_spool_t) # cjp: probably can remove this ifdef(`distro_redhat',` typealias httpd_log_t alias httpd_runtime_t; + dontaudit httpd_t httpd_runtime_t:file ioctl; ') ifdef(`targeted_policy',` @@ -372,6 +373,9 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` + # cjp: this is redundant: + term_use_controlling_term(httpd_t) + userdom_use_sysadm_terms(httpd_t) ',` userdom_dontaudit_use_sysadm_terms(httpd_t) @@ -450,6 +454,7 @@ logging_send_syslog_msg(httpd_helper_t) allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_php_t self:fd use; allow httpd_php_t self:fifo_file rw_file_perms; +allow httpd_php_t self:sock_file r_file_perms; allow httpd_php_t self:unix_dgram_socket create_socket_perms; allow httpd_php_t self:unix_stream_socket create_stream_socket_perms; allow httpd_php_t self:unix_dgram_socket sendto; diff --git a/refpolicy/policy/modules/services/howl.te b/refpolicy/policy/modules/services/howl.te index f1d0dbe5..53f6bebe 100644 --- a/refpolicy/policy/modules/services/howl.te +++ b/refpolicy/policy/modules/services/howl.te @@ -26,6 +26,7 @@ allow howl_t self:tcp_socket create_stream_socket_perms; allow howl_t self:udp_socket create_socket_perms; allow howl_t howl_var_run_t:file create_file_perms; +allow howl_t howl_var_run_t:dir rw_dir_perms; files_create_pid(howl_t,howl_var_run_t) kernel_read_network_state(howl_t) diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index 23912ecd..253e2b34 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -81,6 +81,7 @@ term_dontaudit_use_console(hotplug_t) corecmd_exec_bin(hotplug_t) corecmd_exec_shell(hotplug_t) corecmd_exec_sbin(hotplug_t) +corecmd_exec_ls(hotplug_t) domain_use_wide_inherit_fd(hotplug_t) # for ps @@ -111,6 +112,7 @@ libs_read_lib(hotplug_t) modutils_domtrans_insmod(hotplug_t) modutils_read_mods_deps(hotplug_t) +miscfiles_read_hwdata(hotplug_t) miscfiles_read_hwdata(hotplug_t) miscfiles_read_localization(hotplug_t) @@ -132,6 +134,9 @@ ifdef(`distro_redhat', ` ') ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(hotplug_t) + term_dontaudit_use_generic_pty(hotplug_t) + optional_policy(`consoletype.te',` consoletype_domtrans(hotplug_t) ') diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 01d4a967..8cff50b4 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -191,6 +191,8 @@ allow klogd_t klogd_tmp_t:dir create_dir_perms; files_create_tmp_files(klogd_t,klogd_tmp_t,{ file dir }) allow klogd_t klogd_var_run_t:file create_file_perms; +allow klogd_t klogd_var_run_t:dir rw_dir_perms; +files_create_pid(klogd_t,klogd_var_run_t) allow klogd_t self:capability sys_admin; dontaudit klogd_t self:capability sys_resource; @@ -214,7 +216,6 @@ term_dontaudit_use_console(klogd_t) domain_use_wide_inherit_fd(klogd_t) -files_create_pid(klogd_t,klogd_var_run_t) files_read_etc_runtime_files(klogd_t) # read /etc/nsswitch.conf files_read_etc_files(klogd_t) diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index b9e07007..bce4e26d 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -187,6 +187,11 @@ miscfiles_read_localization(load_policy_t) userdom_use_all_user_fd(load_policy_t) +ifdef(`targeted_policy', ` + term_use_unallocated_tty(load_policy_t) + term_use_generic_pty(load_policy_t) +') + ######################################## # # Newrole local policy