From b1863350de219dbdae5a5bd3b65b4453d99e21e7 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 11 Jan 2011 13:44:47 +0000 Subject: [PATCH] - Add firewalld policy - Allow vmware_host to read samba config - Kernel wants to read /proc Fix duplicate grub def in cobbler - Chrony sends mail, executes shell, uses fifo_file and reads /proc - devicekitdisk getattr all file systems - sambd daemon writes wtmp file - libvirt transitions to dmidecode --- modules-targeted.conf | 7 + policy-F15.patch | 569 +++++++++++++++++++++++++++++++++++------- selinux-policy.spec | 11 +- 3 files changed, 494 insertions(+), 93 deletions(-) diff --git a/modules-targeted.conf b/modules-targeted.conf index 5fd759d3..905cd44d 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2328,3 +2328,10 @@ milter = module # /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet # keyboardd = module + +# Layer: services +# Module: firewalld +# +# firewalld is firewall service daemon that provides dynamic customizable +# +firewalld = module diff --git a/policy-F15.patch b/policy-F15.patch index af42ac2d..bb4ab9d1 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -352,7 +352,7 @@ index 63eb96b..17a9f6d 100644 ## ## Execute bootloader interactively and do diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index d3da8f2..c171daf 100644 +index d3da8f2..9799904 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -23,7 +23,7 @@ role system_r types bootloader_t; @@ -364,6 +364,17 @@ index d3da8f2..c171daf 100644 # # The temp file is used for initrd creation; +@@ -171,6 +171,10 @@ ifdef(`distro_redhat',` + ') + + optional_policy(` ++ devicekit_dontaudit_read_pid_files(bootloader_t) ++') ++ ++optional_policy(` + fstools_exec(bootloader_t) + ') + diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if index 2c2cdb6..73b3814 100644 --- a/policy/modules/admin/brctl.if @@ -416,10 +427,18 @@ index 9de382b..682e78e 100644 optional_policy(` apache_exec_modules(certwatch_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index cd5e005..7f3f992 100644 +index cd5e005..24f73ca 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te -@@ -79,16 +79,18 @@ optional_policy(` +@@ -48,6 +48,7 @@ mls_file_read_all_levels(consoletype_t) + mls_file_write_all_levels(consoletype_t) + + term_use_all_terms(consoletype_t) ++term_use_ptmx(consoletype_t) + + init_use_fds(consoletype_t) + init_use_script_ptys(consoletype_t) +@@ -79,16 +80,18 @@ optional_policy(` ') optional_policy(` @@ -442,7 +461,7 @@ index cd5e005..7f3f992 100644 ') optional_policy(` -@@ -114,6 +116,7 @@ optional_policy(` +@@ -114,6 +117,7 @@ optional_policy(` optional_policy(` userdom_use_unpriv_users_fds(consoletype_t) @@ -1764,7 +1783,7 @@ index d0604cf..679d61c 100644 ## ## diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te -index 8966ec9..80939b0 100644 +index 8966ec9..fb8d63f 100644 --- a/policy/modules/admin/shutdown.te +++ b/policy/modules/admin/shutdown.te @@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0) @@ -1775,7 +1794,14 @@ index 8966ec9..80939b0 100644 application_domain(shutdown_t, shutdown_exec_t) role system_r types shutdown_t; -@@ -38,13 +39,14 @@ domain_use_interactive_fds(shutdown_t) +@@ -33,18 +34,21 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file) + manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) + files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) + ++kernel_read_system_state(shutdown_t) ++ + domain_use_interactive_fds(shutdown_t) + files_read_etc_files(shutdown_t) files_read_generic_pids(shutdown_t) @@ -1792,7 +1818,7 @@ index 8966ec9..80939b0 100644 init_stream_connect(shutdown_t) init_telinit(shutdown_t) -@@ -59,5 +61,10 @@ optional_policy(` +@@ -59,5 +63,10 @@ optional_policy(` ') optional_policy(` @@ -2001,7 +2027,7 @@ index 81fb26f..cd18ca8 100644 optional_policy(` diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..e1b55f8 100644 +index 441cf22..b90d4cc 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t) @@ -2015,7 +2041,17 @@ index 441cf22..e1b55f8 100644 # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -@@ -291,17 +289,18 @@ selinux_compute_create_context(passwd_t) +@@ -194,8 +192,7 @@ selinux_compute_create_context(groupadd_t) + selinux_compute_relabel_context(groupadd_t) + selinux_compute_user_contexts(groupadd_t) + +-term_use_all_ttys(groupadd_t) +-term_use_all_ptys(groupadd_t) ++term_use_all_terms(groupadd_t) + + init_use_fds(groupadd_t) + init_read_utmp(groupadd_t) +@@ -291,17 +288,18 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -2038,7 +2074,7 @@ index 441cf22..e1b55f8 100644 domain_use_interactive_fds(passwd_t) -@@ -332,6 +331,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +330,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2046,7 +2082,17 @@ index 441cf22..e1b55f8 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -426,7 +426,7 @@ optional_policy(` +@@ -381,8 +380,7 @@ dev_read_urand(sysadm_passwd_t) + fs_getattr_xattr_fs(sysadm_passwd_t) + fs_search_auto_mountpoints(sysadm_passwd_t) + +-term_use_all_ttys(sysadm_passwd_t) +-term_use_all_ptys(sysadm_passwd_t) ++term_use_all_terms(sysadm_passwd_t) + + auth_manage_shadow(sysadm_passwd_t) + auth_relabel_shadow(sysadm_passwd_t) +@@ -426,7 +424,7 @@ optional_policy(` # Useradd local policy # @@ -2055,7 +2101,17 @@ index 441cf22..e1b55f8 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -498,12 +498,8 @@ seutil_domtrans_setfiles(useradd_t) +@@ -469,8 +467,7 @@ selinux_compute_create_context(useradd_t) + selinux_compute_relabel_context(useradd_t) + selinux_compute_user_contexts(useradd_t) + +-term_use_all_ttys(useradd_t) +-term_use_all_ptys(useradd_t) ++term_use_all_terms(useradd_t) + + auth_domtrans_chk_passwd(useradd_t) + auth_rw_lastlog(useradd_t) +@@ -498,12 +495,8 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -6857,6 +6913,19 @@ index 0000000..5259647 + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) +') + +diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if +index 320df26..879e804 100644 +--- a/policy/modules/apps/screen.if ++++ b/policy/modules/apps/screen.if +@@ -81,8 +81,6 @@ template(`screen_role_template',` + relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) + + manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) +- manage_files_pattern($3, screen_var_run_t, screen_var_run_t) +- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) + + kernel_read_system_state($1_screen_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85..7455c19 100644 --- a/policy/modules/apps/seunshare.if @@ -7187,10 +7256,10 @@ index 0000000..46368cc +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..24f8037 +index 0000000..d4e5e9e --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,329 @@ +@@ -0,0 +1,331 @@ + +policy_module(telepathy, 1.0.0) + @@ -7374,6 +7443,8 @@ index 0000000..24f8037 + +dev_read_rand(telepathy_mission_control_t) + ++fs_getattr_all_fs(telepathy_mission_control_t) ++ +files_read_etc_files(telepathy_mission_control_t) +files_read_usr_files(telepathy_mission_control_t) + @@ -7681,7 +7752,7 @@ index 5872ea2..028c994 100644 /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0) /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0) diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te -index c76ceb2..d7df452 100644 +index c76ceb2..9562e78 100644 --- a/policy/modules/apps/vmware.te +++ b/policy/modules/apps/vmware.te @@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t) @@ -7708,7 +7779,7 @@ index c76ceb2..d7df452 100644 userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) userdom_dontaudit_search_user_home_dirs(vmware_host_t) -@@ -158,8 +161,19 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t) +@@ -158,8 +161,23 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t) netutils_domtrans_ping(vmware_host_t) optional_policy(` @@ -7719,6 +7790,10 @@ index c76ceb2..d7df452 100644 + modutils_domtrans_insmod(vmware_host_t) +') + ++optional_policy(` ++ samba_read_config(vmware_host_t) ++') ++ +optional_policy(` seutil_sigchld_newrole(vmware_host_t) +') @@ -10986,7 +11061,7 @@ index b4ad6d7..67e89f0 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 9e2e6d7..08e82d9 100644 +index 9e2e6d7..d5c4f76 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -11016,7 +11091,7 @@ index 9e2e6d7..08e82d9 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -268,19 +272,30 @@ files_list_root(kernel_t) +@@ -268,19 +272,31 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -11030,6 +11105,7 @@ index 9e2e6d7..08e82d9 100644 mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) ++mls_file_downgrade(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) @@ -11047,7 +11123,7 @@ index 9e2e6d7..08e82d9 100644 optional_policy(` hotplug_search_config(kernel_t) ') -@@ -357,6 +372,10 @@ optional_policy(` +@@ -357,6 +373,10 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -11508,7 +11584,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..faaf889 100644 +index 2be17d2..5728fc1 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0) @@ -11560,7 +11636,7 @@ index 2be17d2..faaf889 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +63,108 @@ optional_policy(` +@@ -27,25 +63,112 @@ optional_policy(` ') optional_policy(` @@ -11581,6 +11657,10 @@ index 2be17d2..faaf889 100644 +') + +optional_policy(` ++ mock_role(staff_r, staff_t) ++') ++ ++optional_policy(` + kerneloops_dbus_chat(staff_t) +') + @@ -11671,7 +11751,7 @@ index 2be17d2..faaf889 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -137,10 +256,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +260,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -12710,10 +12790,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..7d5de28 +index 0000000..ec21f9a --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,489 @@ +@@ -0,0 +1,493 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -13043,6 +13123,10 @@ index 0000000..7d5de28 +') + +optional_policy(` ++ mock_role(unconfined_r, unconfined_t) ++') ++ ++optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r) +') + @@ -17628,7 +17712,7 @@ index 9a0da94..2ede737 100644 + admin_pattern($1, chronyd_tmpfs_t) ') diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te -index fa82327..7f4ca47 100644 +index fa82327..db20d26 100644 --- a/policy/modules/services/chronyd.te +++ b/policy/modules/services/chronyd.te @@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t) @@ -17641,7 +17725,11 @@ index fa82327..7f4ca47 100644 type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -37,6 +40,10 @@ allow chronyd_t self:unix_dgram_socket create_socket_perms; +@@ -34,9 +37,14 @@ allow chronyd_t self:process { getcap setcap setrlimit }; + allow chronyd_t self:shm create_shm_perms; + allow chronyd_t self:udp_socket create_socket_perms; + allow chronyd_t self:unix_dgram_socket create_socket_perms; ++allow chronyd_t self:fifo_file rw_fifo_file_perms; allow chronyd_t chronyd_keys_t:file read_file_perms; @@ -17652,14 +17740,27 @@ index fa82327..7f4ca47 100644 manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -@@ -50,6 +57,7 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) +@@ -50,6 +58,11 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t) files_pid_filetrans(chronyd_t, chronyd_var_run_t, file) ++kernel_read_system_state(chronyd_t) ++ ++corecmd_exec_shell(chronyd_t) ++ +corenet_udp_bind_generic_node(chronyd_t) corenet_udp_bind_ntp_port(chronyd_t) # bind to udp/323 corenet_udp_bind_chronyd_port(chronyd_t) +@@ -63,6 +76,8 @@ logging_send_syslog_msg(chronyd_t) + + miscfiles_read_localization(chronyd_t) + ++mta_send_mail(chronyd_t) ++ + optional_policy(` + gpsd_rw_shm(chronyd_t) + ') diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 1f11572..7f6a7ab 100644 --- a/policy/modules/services/clamav.if @@ -18058,10 +18159,10 @@ index 0000000..a2c7134 + corosync_stream_connect(cmirrord_t) +') diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc -index 1cf6c4e..90c60df 100644 +index 1cf6c4e..e4bac67 100644 --- a/policy/modules/services/cobbler.fc +++ b/policy/modules/services/cobbler.fc -@@ -1,7 +1,32 @@ +@@ -1,7 +1,33 @@ -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0) -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0) @@ -18075,6 +18176,7 @@ index 1cf6c4e..90c60df 100644 +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) + +/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) ++/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0) @@ -20520,7 +20622,7 @@ index f706b99..22b862e 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..4ecd4b7 100644 +index f231f17..10c33ed 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -20546,7 +20648,7 @@ index f231f17..4ecd4b7 100644 kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) -@@ -105,8 +110,10 @@ domain_read_all_domains_state(devicekit_disk_t) +@@ -105,14 +110,17 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) @@ -20558,7 +20660,14 @@ index f231f17..4ecd4b7 100644 files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) -@@ -178,25 +185,47 @@ optional_policy(` + files_read_etc_runtime_files(devicekit_disk_t) + files_read_usr_files(devicekit_disk_t) + ++fs_getattr_all_fs(devicekit_disk_t) + fs_list_inotifyfs(devicekit_disk_t) + fs_manage_fusefs_dirs(devicekit_disk_t) + fs_mount_all_fs(devicekit_disk_t) +@@ -178,25 +186,47 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -20607,7 +20716,7 @@ index f231f17..4ecd4b7 100644 kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) -@@ -212,12 +241,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) +@@ -212,12 +242,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -20624,7 +20733,7 @@ index f231f17..4ecd4b7 100644 term_use_all_terms(devicekit_power_t) -@@ -225,8 +258,11 @@ auth_use_nsswitch(devicekit_power_t) +@@ -225,8 +259,11 @@ auth_use_nsswitch(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) @@ -20636,7 +20745,7 @@ index f231f17..4ecd4b7 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -261,14 +297,21 @@ optional_policy(` +@@ -261,14 +298,21 @@ optional_policy(` ') optional_policy(` @@ -20659,7 +20768,7 @@ index f231f17..4ecd4b7 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +319,21 @@ optional_policy(` +@@ -276,9 +320,21 @@ optional_policy(` ') optional_policy(` @@ -22302,6 +22411,173 @@ index 6537214..7d64c0a 100644 ps_process_pattern($1, fetchmail_t) files_list_etc($1) +diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc +new file mode 100644 +index 0000000..ba9a7a9 +--- /dev/null ++++ b/policy/modules/services/firewalld.fc +@@ -0,0 +1,10 @@ ++ ++/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0) ++ ++ ++/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0) ++ ++/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0) ++ ++/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0) ++/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0) +diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if +new file mode 100644 +index 0000000..84d1768 +--- /dev/null ++++ b/policy/modules/services/firewalld.if +@@ -0,0 +1,73 @@ ++ ++## policy for firewalld ++ ++ ++######################################## ++## ++## Execute a domain transition to run firewalld. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`firewalld_domtrans',` ++ gen_require(` ++ type firewalld_t, firewalld_exec_t; ++ ') ++ ++ domtrans_pattern($1, firewalld_exec_t, firewalld_t) ++') ++ ++ ++######################################## ++## ++## Execute firewalld server in the firewalld domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`firewalld_initrc_domtrans',` ++ gen_require(` ++ type firewalld_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, firewalld_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an firewalld environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`firewalld_admin',` ++ gen_require(` ++ type firewalld_t; ++ type firewalld_initrc_exec_t; ++ ') ++ ++ allow $1 firewalld_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, firewalld_t) ++ ++ firewalld_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 firewalld_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++') +diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te +new file mode 100644 +index 0000000..ebb76c1 +--- /dev/null ++++ b/policy/modules/services/firewalld.te +@@ -0,0 +1,66 @@ ++ ++policy_module(firewalld,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type firewalld_t; ++type firewalld_exec_t; ++init_daemon_domain(firewalld_t, firewalld_exec_t) ++ ++permissive firewalld_t; ++ ++type firewalld_initrc_exec_t; ++init_script_file(firewalld_initrc_exec_t) ++ ++type firewalld_var_log_t; ++logging_log_file(firewalld_var_log_t) ++ ++type firewalld_var_run_t; ++files_pid_file(firewalld_var_run_t) ++ ++######################################## ++# ++# firewalld local policy ++# ++ ++allow firewalld_t self:fifo_file rw_fifo_file_perms; ++allow firewalld_t self:unix_stream_socket create_stream_socket_perms; ++ ++append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t) ++create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t) ++read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t) ++setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t) ++logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) ++ ++# should be fixed to cooperate with systemd to create /var/run/firewalld directory ++manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) ++files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file }) ++ ++kernel_read_network_state(firewalld_t) ++kernel_read_system_state(firewalld_t) ++ ++corecmd_exec_bin(firewalld_t) ++ ++domain_use_interactive_fds(firewalld_t) ++ ++files_read_etc_files(firewalld_t) ++files_read_usr_files(firewalld_t) ++ ++logging_send_syslog_msg(firewalld_t) ++ ++miscfiles_read_localization(firewalld_t) ++ ++optional_policy(` ++ dbus_system_domain(firewalld_t, firewalld_exec_t) ++') ++ ++optional_policy(` ++ iptables_domtrans(firewalld_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(firewalld_t) ++') diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if index ebad8c4..c02062c 100644 --- a/policy/modules/services/fprintd.if @@ -25552,10 +25828,10 @@ index 0000000..6395ec8 +') diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te new file mode 100644 -index 0000000..b05a9cd +index 0000000..36d15ad --- /dev/null +++ b/policy/modules/services/mock.te -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +policy_module(mock,1.0.0) + +######################################## @@ -25588,6 +25864,8 @@ index 0000000..b05a9cd + +allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill }; ++# Needed because mock can run java and mono withing build environment ++allow mock_t self:process { execmem execstack }; +dontaudit mock_t self:process { siginh noatsecure rlimitinh }; +allow mock_t self:fifo_file manage_fifo_file_perms; +allow mock_t self:unix_stream_socket create_stream_socket_perms; @@ -26054,10 +26332,10 @@ index 0000000..311aaed +') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te new file mode 100644 -index 0000000..92e86a2 +index 0000000..d87d442 --- /dev/null +++ b/policy/modules/services/mpd.te -@@ -0,0 +1,127 @@ +@@ -0,0 +1,143 @@ +policy_module(mpd, 1.0.0) + +######################################## @@ -26127,6 +26405,8 @@ index 0000000..92e86a2 +manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) +files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file }) + ++# needed by pulseaudio ++kernel_getattr_proc(mpd_t) +kernel_read_system_state(mpd_t) +kernel_read_kernel_sysctls(mpd_t) + @@ -26141,6 +26421,7 @@ index 0000000..92e86a2 +corenet_tcp_bind_soundd_port(mpd_t) + +dev_read_sound(mpd_t) ++dev_write_sound(mpd_t) +dev_read_sysfs(mpd_t) + +files_read_usr_files(mpd_t) @@ -26173,6 +26454,10 @@ index 0000000..92e86a2 +') + +optional_policy(` ++ consolekit_dbus_chat(mpd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(mpd_t) +') + @@ -26183,8 +26468,17 @@ index 0000000..92e86a2 +') + +optional_policy(` ++ rtkit_daemon_dontaudit_dbus_chat(mpd_t) ++') ++ ++optional_policy(` + udev_read_db(mpd_t) +') ++ ++optional_policy(` ++ xserver_dontaudit_stream_connect(mpd_t) ++ xserver_dontaudit_read_xdm_pid(mpd_t) ++') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc index 256166a..c526ce8 100644 --- a/policy/modules/services/mta.fc @@ -26996,7 +27290,7 @@ index f17583b..8f01394 100644 + +miscfiles_read_localization(munin_plugin_domain) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if -index e9c0982..06034b8 100644 +index e9c0982..a12d5ea 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -18,6 +18,24 @@ interface(`mysql_domtrans',` @@ -27024,7 +27318,32 @@ index e9c0982..06034b8 100644 ######################################## ## ## Send a generic signal to MySQL. -@@ -73,6 +91,7 @@ interface(`mysql_stream_connect',` +@@ -36,6 +54,24 @@ interface(`mysql_signal',` + allow $1 mysqld_t:process signal; + ') + ++####################################### ++## ++## Send a null signal to mysql. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysql_signull',` ++ gen_require(` ++ type mysqld_t; ++ ') ++ ++ allow $1 mysqld_t:process signull; ++') ++ + ######################################## + ## + ## Allow the specified domain to connect to postgresql with a tcp socket. +@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',` type mysqld_t, mysqld_var_run_t, mysqld_db_t; ') @@ -27032,7 +27351,7 @@ index e9c0982..06034b8 100644 stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') -@@ -252,7 +271,7 @@ interface(`mysql_write_log',` +@@ -252,7 +289,7 @@ interface(`mysql_write_log',` ') logging_search_logs($1) @@ -27041,7 +27360,7 @@ index e9c0982..06034b8 100644 ') ###################################### -@@ -329,10 +348,9 @@ interface(`mysql_search_pid_files',` +@@ -329,10 +366,9 @@ interface(`mysql_search_pid_files',` # interface(`mysql_admin',` gen_require(` @@ -27055,7 +27374,7 @@ index e9c0982..06034b8 100644 ') allow $1 mysqld_t:process { ptrace signal_perms }; -@@ -343,13 +361,17 @@ interface(`mysql_admin',` +@@ -343,13 +379,17 @@ interface(`mysql_admin',` role_transition $2 mysqld_initrc_exec_t system_r; allow $2 system_r; @@ -27074,7 +27393,7 @@ index e9c0982..06034b8 100644 admin_pattern($1, mysqld_tmp_t) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..d02b476 100644 +index 0a0d63c..024120d 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -27142,7 +27461,7 @@ index 0a0d63c..d02b476 100644 files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) -@@ -183,6 +186,8 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) +@@ -183,11 +186,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) hostname_exec(mysqld_safe_t) @@ -27151,6 +27470,12 @@ index 0a0d63c..d02b476 100644 miscfiles_read_localization(mysqld_safe_t) mysql_manage_db_files(mysqld_safe_t) + mysql_read_config(mysqld_safe_t) + mysql_search_pid_files(mysqld_safe_t) ++mysql_signull(mysqld_safe_t) + mysql_write_log(mysqld_safe_t) + + ######################################## diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index 8581040..cfcdf10 100644 --- a/policy/modules/services/nagios.if @@ -27239,7 +27564,7 @@ index 8581040..cfcdf10 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index bf64a4c..86c9cba 100644 +index bf64a4c..331ad53 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) @@ -27338,7 +27663,7 @@ index bf64a4c..86c9cba 100644 files_read_etc_runtime_files(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t) -@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -323,10 +328,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; @@ -27346,7 +27671,12 @@ index bf64a4c..86c9cba 100644 allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; -@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t) ++kernel_read_system_state(nagios_services_plugin_t) ++ + corecmd_exec_bin(nagios_services_plugin_t) + + corenet_tcp_connect_all_ports(nagios_services_plugin_t) +@@ -340,6 +346,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -34358,7 +34688,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..6e627d6 100644 +index e30bb63..a7f61a3 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -34398,7 +34728,7 @@ index e30bb63..6e627d6 100644 allow smbd_t swat_t:process signal; -@@ -323,10 +320,12 @@ dev_getattr_all_blk_files(smbd_t) +@@ -323,15 +320,18 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -34411,7 +34741,13 @@ index e30bb63..6e627d6 100644 auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) -@@ -343,6 +342,7 @@ files_read_usr_files(smbd_t) + auth_domtrans_upd_passwd(smbd_t) + auth_manage_cache(smbd_t) ++auth_write_login_records(smbd_t) + + domain_use_interactive_fds(smbd_t) + domain_dontaudit_list_all_domains_state(smbd_t) +@@ -343,6 +343,7 @@ files_read_usr_files(smbd_t) files_search_spool(smbd_t) # smbd seems to getattr all mountpoints files_dontaudit_getattr_all_dirs(smbd_t) @@ -34419,7 +34755,7 @@ index e30bb63..6e627d6 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -385,12 +385,7 @@ tunable_policy(`samba_domain_controller',` +@@ -385,12 +386,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -34433,7 +34769,7 @@ index e30bb63..6e627d6 100644 ') # Support Samba sharing of NFS mount points -@@ -445,8 +440,8 @@ optional_policy(` +@@ -445,8 +441,8 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -34443,7 +34779,7 @@ index e30bb63..6e627d6 100644 tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) -@@ -462,8 +457,8 @@ tunable_policy(`samba_export_all_rw',` +@@ -462,8 +458,8 @@ tunable_policy(`samba_export_all_rw',` auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -34453,7 +34789,7 @@ index e30bb63..6e627d6 100644 ######################################## # -@@ -484,8 +479,9 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +480,9 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -34464,7 +34800,7 @@ index e30bb63..6e627d6 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +556,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -560,13 +557,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -34482,7 +34818,7 @@ index e30bb63..6e627d6 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -677,7 +673,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +674,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -34491,7 +34827,7 @@ index e30bb63..6e627d6 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +688,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +689,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -34506,7 +34842,7 @@ index e30bb63..6e627d6 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +708,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +709,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -34514,7 +34850,7 @@ index e30bb63..6e627d6 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +753,8 @@ logging_search_logs(swat_t) +@@ -754,6 +754,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -34523,7 +34859,7 @@ index e30bb63..6e627d6 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,14 +807,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,14 +808,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -34543,7 +34879,7 @@ index e30bb63..6e627d6 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +834,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +835,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -34551,7 +34887,7 @@ index e30bb63..6e627d6 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -922,6 +924,18 @@ optional_policy(` +@@ -922,6 +925,18 @@ optional_policy(` # optional_policy(` @@ -34570,7 +34906,7 @@ index e30bb63..6e627d6 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +946,12 @@ optional_policy(` +@@ -932,9 +947,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -36228,7 +36564,7 @@ index 22adaca..784c363 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..f4626c0 100644 +index 2dad3c8..2b6aef5 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -36497,7 +36833,7 @@ index 2dad3c8..f4626c0 100644 +') + +optional_policy(` -+ amanda_search_lib(sshd_t) ++ amanda_search_var_lib(sshd_t) ') optional_policy(` @@ -37997,7 +38333,7 @@ index 7c5d8d8..5e2f264 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..191efb7 100644 +index 3eca020..d81582c 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) @@ -38312,9 +38648,9 @@ index 3eca020..191efb7 100644 logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -38338,7 +38674,18 @@ index 3eca020..191efb7 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -365,6 +450,8 @@ optional_policy(` +@@ -329,6 +414,10 @@ optional_policy(` + ') + + optional_policy(` ++ dmidecode_domtrans(virtd_t) ++') ++ ++optional_policy(` + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) + dnsmasq_kill(virtd_t) +@@ -365,6 +454,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -38347,7 +38694,7 @@ index 3eca020..191efb7 100644 ') optional_policy(` -@@ -396,12 +483,25 @@ optional_policy(` +@@ -396,12 +487,25 @@ optional_policy(` allow virt_domain self:capability { dac_read_search dac_override kill }; allow virt_domain self:process { execmem execstack signal getsched signull }; @@ -38374,7 +38721,7 @@ index 3eca020..191efb7 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +522,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +526,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -38382,7 +38729,7 @@ index 3eca020..191efb7 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +530,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +534,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -38395,7 +38742,7 @@ index 3eca020..191efb7 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +543,11 @@ files_search_all(virt_domain) +@@ -440,6 +547,11 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -38407,7 +38754,7 @@ index 3eca020..191efb7 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +565,117 @@ optional_policy(` +@@ -457,8 +569,117 @@ optional_policy(` ') optional_policy(` @@ -38933,7 +39280,7 @@ index 6f1e3c7..ecfe665 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..6b12229 100644 +index da2601a..61bce48 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -39325,16 +39672,34 @@ index da2601a..6b12229 100644 ') ######################################## -@@ -805,7 +869,7 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +869,25 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) - allow $1 xdm_var_run_t:file read_file_perms; + read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ++') ++ ++###################################### ++## ++## Dontaudit Read XDM pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_dontaudit_read_xdm_pid',` ++ gen_require(` ++ type xdm_var_run_t; ++ ') ++ ++ dontaudit $1 xdm_var_run_t:file read_file_perms; ') ######################################## -@@ -897,7 +961,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +979,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -39343,7 +39708,7 @@ index da2601a..6b12229 100644 ') ######################################## -@@ -916,7 +980,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +998,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -39352,7 +39717,7 @@ index da2601a..6b12229 100644 ') ######################################## -@@ -963,6 +1027,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1045,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -39398,7 +39763,7 @@ index da2601a..6b12229 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1079,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1097,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -39407,7 +39772,7 @@ index da2601a..6b12229 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1141,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1159,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -39450,7 +39815,7 @@ index da2601a..6b12229 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1191,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1209,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -39459,7 +39824,7 @@ index da2601a..6b12229 100644 ') ######################################## -@@ -1070,8 +1209,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1227,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -39471,15 +39836,34 @@ index da2601a..6b12229 100644 ') ######################################## -@@ -1185,6 +1326,7 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1344,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) + allow xserver_t $1:shm rw_shm_perms; ++') ++ ++###################################### ++## ++## Dontaudit attempts to connect to xserver ++## over an unix stream socket. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_stream_connect',` ++ gen_require(` ++ type xserver_t, xserver_tmp_t; ++ ') ++ ++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ') ######################################## -@@ -1210,7 +1352,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1389,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -39488,7 +39872,7 @@ index da2601a..6b12229 100644 ## ## ## -@@ -1220,13 +1362,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1399,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -39513,7 +39897,7 @@ index da2601a..6b12229 100644 ') ######################################## -@@ -1243,10 +1395,393 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1432,393 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -47450,10 +47834,10 @@ index 0000000..5f0352b + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..52a952b +index 0000000..174dd0c --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,101 @@ +@@ -0,0 +1,102 @@ + +policy_module(systemd, 1.0.0) + @@ -47532,6 +47916,7 @@ index 0000000..52a952b +files_relabelfrom_tmp_files(systemd_tmpfiles_t) +files_relabel_all_tmp_dirs(systemd_tmpfiles_t) +files_relabel_all_tmp_files(systemd_tmpfiles_t) ++files_getattr_lost_found_dirs(systemd_tmpfiles_t) + +init_dgram_send(systemd_tmpfiles_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 1669f5d5..b77d2c27 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.12 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,15 @@ exit 0 %endif %changelog +* Tue Jan 11 2011 Miroslav Grepl 3.9.12-6 +- Add firewalld policy +- Allow vmware_host to read samba config +- Kernel wants to read /proc Fix duplicate grub def in cobbler +- Chrony sends mail, executes shell, uses fifo_file and reads /proc +- devicekitdisk getattr all file systems +- sambd daemon writes wtmp file +- libvirt transitions to dmidecode + * Wed Jan 5 2011 Miroslav Grepl 3.9.12-5 - Add initial policy for system-setup-keyboard which is now daemon - Label /var/lock/subsys/shorewall as shorewall_lock_t