rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring 

- Allow geoclue to create temporary files/dirs in /tmp
- Add httpd_dontaudit_search_dirs boolean
- Add support for winbind.service
- ALlow also fail2ban-client to read apache logs
- Allow vmtools to getattr on all fs
This commit is contained in:
Miroslav Grepl 2014-01-30 13:26:17 +01:00
parent a960d06c0c
commit a853036f79
3 changed files with 131 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
policy-rawhide-base.patch
View File

@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..e0fc276 100644
index 1d732f1..1a53101 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -2784,6 +2784,15 @@ index 1d732f1..e0fc276 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
@@ -273,7 +297,7 @@ optional_policy(`
# Passwd local policy
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;

198
policy-rawhide-contrib.patch
View File

@ -4786,10 +4786,10 @@ index f6eb485..51b128e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 6649962..7954b3b 100644
index 6649962..1f527f5 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
@@ -5,280 +5,325 @@ policy_module(apache, 2.7.2)
# Declarations
#
@ -4810,39 +4810,40 @@ index 6649962..7954b3b 100644
## </desc>
-gen_tunable(allow_httpd_anon_write, false)
+gen_tunable(httpd_anon_write, false)
+
## <desc>
-## <p>
-## Determine whether httpd can use mod_auth_pam.
-## </p>
+## <p>
+## Allow Apache to use mod_auth_pam
+## Dontaudit Apache to search dirs.
+## </p>
## </desc>
-gen_tunable(allow_httpd_mod_auth_pam, false)
+gen_tunable(httpd_mod_auth_pam, false)
+gen_tunable(httpd_dontaudit_search_dirs, false)
## <desc>
-## <p>
-## Determine whether httpd can use built in scripting.
-## </p>
+## <p>
+## Allow Apache to use mod_auth_ntlm_winbind
+## Allow Apache to use mod_auth_pam
+## </p>
## </desc>
-gen_tunable(httpd_builtin_scripting, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
+gen_tunable(httpd_mod_auth_pam, false)
## <desc>
-## <p>
-## Determine whether httpd can check spam.
-## </p>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## Allow Apache to use mod_auth_ntlm_winbind
+## </p>
## </desc>
-gen_tunable(httpd_can_check_spam, false)
+gen_tunable(httpd_execmem, false)
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
## <desc>
-## <p>
@ -4850,6 +4851,13 @@ index 6649962..7954b3b 100644
-## can connect to the network using TCP.
-## </p>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
+## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow httpd processes to manage IPA content
+## </p>
+## </desc>
@ -5255,7 +5263,7 @@ index 6649962..7954b3b 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -286,15 +323,35 @@ init_script_file(httpd_initrc_exec_t)
@@ -286,15 +331,35 @@ init_script_file(httpd_initrc_exec_t)
type httpd_keytab_t;
files_type(httpd_keytab_t)
@ -5291,7 +5299,7 @@ index 6649962..7954b3b 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -302,10 +359,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
@@ -302,10 +367,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@ -5304,7 +5312,7 @@ index 6649962..7954b3b 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
@@ -314,9 +369,19 @@ role system_r types httpd_suexec_t;
@@ -314,9 +377,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@ -5327,7 +5335,7 @@ index 6649962..7954b3b 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -324,14 +389,21 @@ files_tmp_file(httpd_tmp_t)
@@ -324,14 +397,21 @@ files_tmp_file(httpd_tmp_t)
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
@ -5350,7 +5358,7 @@ index 6649962..7954b3b 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
@@ -346,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
@@ -346,33 +426,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@ -5401,7 +5409,7 @@ index 6649962..7954b3b 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
@@ -381,30 +460,38 @@ allow httpd_t self:shm create_shm_perms;
@@ -381,30 +468,38 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@ -5445,7 +5453,7 @@ index 6649962..7954b3b 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,14 +499,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -412,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -5467,7 +5475,7 @@ index 6649962..7954b3b 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -450,140 +544,168 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -450,140 +552,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -5533,7 +5541,7 @@ index 6649962..7954b3b 100644
-fs_search_auto_mountpoints(httpd_t)
+fs_rw_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
@ -5544,7 +5552,7 @@ index 6649962..7954b3b 100644
+
+domain_use_interactive_fds(httpd_t)
+domain_dontaudit_read_all_domains_state(httpd_t)
+
+files_dontaudit_search_all_pids(httpd_t)
files_dontaudit_getattr_all_pids(httpd_t)
-files_read_usr_files(httpd_t)
@ -5609,16 +5617,20 @@ index 6649962..7954b3b 100644
-ifdef(`hide_broken_symptoms',`
- libs_exec_lib_files(httpd_t)
+tunable_policy(`httpd_dontaudit_search_dirs',`
+ files_dontaudit_search_non_security_dirs(httpd_t)
')
-tunable_policy(`allow_httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
')
-tunable_policy(`allow_httpd_anon_write',`
- miscfiles_manage_public_files(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
@ -5701,7 +5713,7 @@ index 6649962..7954b3b 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +716,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
@@ -594,28 +728,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@ -5761,7 +5773,7 @@ index 6649962..7954b3b 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +768,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +780,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@ -5813,12 +5825,8 @@ index 6649962..7954b3b 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
-')
-
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
@ -5841,8 +5849,12 @@ index 6649962..7954b3b 100644
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
- samba_domtrans_winbind_helper(httpd_t)
- ')
-')
-
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
@ -5852,7 +5864,7 @@ index 6649962..7954b3b 100644
')
tunable_policy(`httpd_setrlimit',`
@@ -695,66 +815,56 @@ tunable_policy(`httpd_setrlimit',`
@@ -695,66 +827,56 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -5873,10 +5885,8 @@ index 6649962..7954b3b 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
')
-')
-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
@ -5893,8 +5903,10 @@ index 6649962..7954b3b 100644
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
-
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
')
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
-')
@ -5950,7 +5962,7 @@ index 6649962..7954b3b 100644
')
optional_policy(`
@@ -770,6 +880,23 @@ optional_policy(`
@@ -770,6 +892,23 @@ optional_policy(`
')
optional_policy(`
@ -5974,7 +5986,7 @@ index 6649962..7954b3b 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -786,35 +913,55 @@ optional_policy(`
@@ -786,35 +925,55 @@ optional_policy(`
')
optional_policy(`
@ -6043,7 +6055,7 @@ index 6649962..7954b3b 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -822,8 +969,18 @@ optional_policy(`
@@ -822,8 +981,18 @@ optional_policy(`
')
optional_policy(`
@ -6062,7 +6074,7 @@ index 6649962..7954b3b 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -832,6 +989,7 @@ optional_policy(`
@@ -832,6 +1001,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@ -6070,7 +6082,7 @@ index 6649962..7954b3b 100644
')
optional_policy(`
@@ -842,20 +1000,39 @@ optional_policy(`
@@ -842,20 +1012,39 @@ optional_policy(`
')
optional_policy(`
@ -6116,7 +6128,7 @@ index 6649962..7954b3b 100644
')
optional_policy(`
@@ -863,19 +1040,35 @@ optional_policy(`
@@ -863,19 +1052,35 @@ optional_policy(`
')
optional_policy(`
@ -6152,7 +6164,7 @@ index 6649962..7954b3b 100644
udev_read_db(httpd_t)
')
@@ -883,65 +1076,173 @@ optional_policy(`
@@ -883,65 +1088,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@ -6225,10 +6237,11 @@ index 6649962..7954b3b 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
+')
+
+########################################
+#
')
########################################
#
-# Suexec local policy
+# Apache PHP script local policy
+#
+
@ -6287,11 +6300,10 @@ index 6649962..7954b3b 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
')
########################################
#
-# Suexec local policy
+')
+
+########################################
+#
+# Apache suexec local policy
#
@ -6348,7 +6360,7 @@ index 6649962..7954b3b 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -950,123 +1251,74 @@ auth_use_nsswitch(httpd_suexec_t)
@@ -950,123 +1263,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@ -6503,7 +6515,7 @@ index 6649962..7954b3b 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1335,106 @@ optional_policy(`
@@ -1083,172 +1347,106 @@ optional_policy(`
')
')
@ -6528,11 +6540,11 @@ index 6649962..7954b3b 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+allow httpd_sys_script_t self:process getsched;
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
+allow httpd_sys_script_t self:process getsched;
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@ -6621,15 +6633,6 @@ index 6649962..7954b3b 100644
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
-')
-
-optional_policy(`
- mysql_read_config(httpd_script_domains)
- mysql_stream_connect(httpd_script_domains)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_script_domains)
- ')
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
@ -6639,12 +6642,21 @@ index 6649962..7954b3b 100644
')
-optional_policy(`
- postgresql_stream_connect(httpd_script_domains)
- mysql_read_config(httpd_script_domains)
- mysql_stream_connect(httpd_script_domains)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_script_domains)
- ')
-')
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
-optional_policy(`
- postgresql_stream_connect(httpd_script_domains)
-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
- ')
@ -6681,7 +6693,8 @@ index 6649962..7954b3b 100644
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
@ -6701,8 +6714,7 @@ index 6649962..7954b3b 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@ -6740,7 +6752,7 @@ index 6649962..7954b3b 100644
')
tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1442,74 @@ tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1454,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@ -6837,7 +6849,7 @@ index 6649962..7954b3b 100644
########################################
#
@@ -1321,8 +1517,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
@@ -1321,8 +1529,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@ -6854,7 +6866,7 @@ index 6649962..7954b3b 100644
')
########################################
@@ -1330,49 +1533,38 @@ optional_policy(`
@@ -1330,49 +1545,38 @@ optional_policy(`
# User content local policy
#
@ -6919,7 +6931,7 @@ index 6649962..7954b3b 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1574,100 @@ dev_read_urand(httpd_passwd_t)
@@ -1382,38 +1586,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@ -25291,7 +25303,7 @@ index 50d0084..94e1936 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
index cf0e567..91d4dfb 100644
index cf0e567..fed8792 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@ -25368,7 +25380,7 @@ index cf0e567..91d4dfb 100644
shorewall_domtrans(fail2ban_t)
')
@@ -131,22 +144,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
@@ -131,22 +144,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@ -25398,6 +25410,10 @@ index cf0e567..91d4dfb 100644
-
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
+
+optional_policy(`
+ apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
index ce358fb..aabd04f 100644
--- a/fcoe.te
@ -27102,10 +27118,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
index 0000000..64faa9e
index 0000000..1fb8bd5
--- /dev/null
+++ b/geoclue.te
@@ -0,0 +1,38 @@
@@ -0,0 +1,45 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@ -27121,6 +27137,9 @@ index 0000000..64faa9e
+type geoclue_var_lib_t;
+files_type(geoclue_var_lib_t)
+
+type geoclue_tmp_t;
+files_tmp_file(geoclue_tmp_t)
+
+########################################
+#
+# geoclue local policy
@ -27131,6 +27150,10 @@ index 0000000..64faa9e
+manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir })
+
+manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+manage_dirss_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t)
+files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file })
+
+corenet_tcp_connect_http_port(geoclue_t)
+
+corecmd_exec_bin(geoclue_t)
@ -80608,10 +80631,10 @@ index 7fb75f4..27f5e22 100644
+userdom_getattr_user_terminals(rwho_t)
+
diff --git a/samba.fc b/samba.fc
index b8b66ff..2ccac49 100644
index b8b66ff..d1fa967 100644
--- a/samba.fc
+++ b/samba.fc
@@ -1,42 +1,54 @@
@@ -1,42 +1,55 @@
-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+
@ -80637,6 +80660,7 @@ index b8b66ff..2ccac49 100644
+#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
@ -80692,7 +80716,7 @@ index b8b66ff..2ccac49 100644
/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -45,7 +57,11 @@
@@ -45,7 +58,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@ -100334,10 +100358,10 @@ index 0000000..044be2f
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
index 0000000..b4d2dac
index 0000000..1398ead
--- /dev/null
+++ b/vmtools.te
@@ -0,0 +1,42 @@
@@ -0,0 +1,44 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@ -100377,6 +100401,8 @@ index 0000000..b4d2dac
+dev_read_urand(vmtools_t)
+dev_getattr_all_blk_files(vmtools_t)
+
+fs_getattr_all_fs(vmtools_t)
+
+auth_use_nsswitch(vmtools_t)
+
+logging_send_syslog_msg(vmtools_t)

10
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 19%{?dist}
Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -578,6 +578,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Thu Jan 30 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-20
- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
- Allow geoclue to create temporary files/dirs in /tmp
- Add httpd_dontaudit_search_dirs boolean
- Add support for winbind.service
- ALlow also fail2ban-client to read apache logs
- Allow vmtools to getattr on all fs
* Tue Jan 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-19
- Add net_admin also for systemd_passwd_agent_t
- Allow Associate usermodehelper_t to sysfs filesystem