- Make DSPAM to act as a LDA working

- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
This commit is contained in:
Miroslav Grepl 2013-06-27 07:36:03 +02:00
parent 7c810a8041
commit b27c1f138f
3 changed files with 161 additions and 71 deletions

View File

@ -29915,7 +29915,7 @@ index b50c5fe..2faaaf2 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ +
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4e94884..5481f47 100644 index 4e94884..55d2481 100644
--- a/policy/modules/system/logging.if --- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -30011,11 +30011,18 @@ index 4e94884..5481f47 100644
gen_require(` gen_require(`
- type syslogd_t, devlog_t; - type syslogd_t, devlog_t;
+ attribute syslog_client_type; + attribute syslog_client_type;
+ ') ')
+
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
- allow $1 devlog_t:sock_file write_sock_file_perms;
+ typeattribute $1 syslog_client_type; + typeattribute $1 syslog_client_type;
+') +')
+
- # the type of socket depends on the syslog daemon
- allow $1 syslogd_t:unix_dgram_socket sendto;
- allow $1 syslogd_t:unix_stream_socket connectto;
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 self:unix_stream_socket create_socket_perms;
+######################################## +########################################
+## <summary> +## <summary>
+## Connect to the syslog control unix stream socket. +## Connect to the syslog control unix stream socket.
@ -30030,7 +30037,11 @@ index 4e94884..5481f47 100644
+ gen_require(` + gen_require(`
+ type devlog_t; + type devlog_t;
+ ') + ')
+
- # If syslog is down, the glibc syslog() function
- # will write to the console.
- term_write_console($1)
- term_dontaudit_read_console($1)
+ allow $1 devlog_t:sock_file manage_sock_file_perms; + allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file) + dev_filetrans($1, devlog_t, sock_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog") + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
@ -30067,18 +30078,11 @@ index 4e94884..5481f47 100644
+interface(`logging_relabel_syslog_pid_socket',` +interface(`logging_relabel_syslog_pid_socket',`
+ gen_require(` + gen_require(`
+ type devlog_t; + type devlog_t;
') + ')
+
- allow $1 devlog_t:lnk_file read_lnk_file_perms;
- allow $1 devlog_t:sock_file write_sock_file_perms;
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
+') +')
+
- # the type of socket depends on the syslog daemon
- allow $1 syslogd_t:unix_dgram_socket sendto;
- allow $1 syslogd_t:unix_stream_socket connectto;
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 self:unix_stream_socket create_socket_perms;
+######################################## +########################################
+## <summary> +## <summary>
+## Connect to the syslog control unix stream socket. +## Connect to the syslog control unix stream socket.
@ -30093,11 +30097,7 @@ index 4e94884..5481f47 100644
+ gen_require(` + gen_require(`
+ type syslogd_t, syslogd_var_run_t; + type syslogd_t, syslogd_var_run_t;
+ ') + ')
+
- # If syslog is down, the glibc syslog() function
- # will write to the console.
- term_write_console($1)
- term_dontaudit_read_console($1)
+ files_search_pids($1) + files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
') ')
@ -30288,7 +30288,7 @@ index 4e94884..5481f47 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t) init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
@@ -1085,3 +1323,33 @@ interface(`logging_admin',` @@ -1085,3 +1323,35 @@ interface(`logging_admin',`
logging_admin_audit($1, $2) logging_admin_audit($1, $2)
logging_admin_syslog($1, $2) logging_admin_syslog($1, $2)
') ')
@ -30321,6 +30321,8 @@ index 4e94884..5481f47 100644
+ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") + files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
+ +
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+') +')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 39ea221..7094526 100644 index 39ea221..7094526 100644

View File

@ -22423,7 +22423,7 @@ index 18f2452..a446210 100644
+ +
') ')
diff --git a/dspam.te b/dspam.te diff --git a/dspam.te b/dspam.te
index 266cb8f..d606e12 100644 index 266cb8f..63643a8 100644
--- a/dspam.te --- a/dspam.te
+++ b/dspam.te +++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@ -22473,6 +22473,18 @@ index 266cb8f..d606e12 100644
') ')
optional_policy(` optional_policy(`
@@ -87,3 +109,11 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
+
+optional_policy(`
+ postfix_rw_inherited_master_pipes(dspam_t)
+')
+
+optional_policy(`
+ procmail_domtrans(dspam_t)
+')
diff --git a/entropyd.te b/entropyd.te diff --git a/entropyd.te b/entropyd.te
index a0da189..d8bc9d5 100644 index a0da189..d8bc9d5 100644
--- a/entropyd.te --- a/entropyd.te
@ -47704,10 +47716,18 @@ index 0000000..7d839fe
+ pulseaudio_setattr_home_dir(nsplugin_t) + pulseaudio_setattr_home_dir(nsplugin_t)
+') +')
diff --git a/ntop.te b/ntop.te diff --git a/ntop.te b/ntop.te
index 52757d8..6ce5c69 100644 index 52757d8..0f7f5e4 100644
--- a/ntop.te --- a/ntop.te
+++ b/ntop.te +++ b/ntop.te
@@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t) @@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
+allow ntop_t self:netlink_socket create_socket_perms;
allow ntop_t self:tcp_socket { accept listen };
allow ntop_t self:unix_stream_socket { accept listen };
allow ntop_t self:packet_socket create_socket_perms;
@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t)
kernel_read_network_state(ntop_t) kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t) kernel_read_kernel_sysctls(ntop_t)
@ -47715,7 +47735,7 @@ index 52757d8..6ce5c69 100644
corenet_all_recvfrom_netlabel(ntop_t) corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t) corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t) corenet_raw_sendrecv_generic_if(ntop_t)
@@ -78,10 +77,11 @@ corenet_tcp_sendrecv_http_port(ntop_t) @@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
dev_read_sysfs(ntop_t) dev_read_sysfs(ntop_t)
dev_rw_generic_usb_dev(ntop_t) dev_rw_generic_usb_dev(ntop_t)
@ -54846,7 +54866,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal; + allow $1 policykit_auth_t:process signal;
') ')
diff --git a/policykit.te b/policykit.te diff --git a/policykit.te b/policykit.te
index 49694e8..12483ae 100644 index 49694e8..d14cc7d 100644
--- a/policykit.te --- a/policykit.te
+++ b/policykit.te +++ b/policykit.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -54878,7 +54898,7 @@ index 49694e8..12483ae 100644
type policykit_resolve_t, policykit_domain; type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t; type policykit_resolve_exec_t;
@@ -42,63 +37,65 @@ files_pid_file(policykit_var_run_t) @@ -42,63 +37,66 @@ files_pid_file(policykit_var_run_t)
####################################### #######################################
# #
@ -54914,6 +54934,7 @@ index 49694e8..12483ae 100644
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ +
+policykit_domtrans_auth(policykit_t) +policykit_domtrans_auth(policykit_t)
+allow policykit_t policykit_auth_t:process signal;
+ +
+can_exec(policykit_t, policykit_exec_t) +can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t) +corecmd_exec_bin(policykit_t)
@ -54963,7 +54984,7 @@ index 49694e8..12483ae 100644
optional_policy(` optional_policy(`
consolekit_dbus_chat(policykit_t) consolekit_dbus_chat(policykit_t)
') ')
@@ -109,29 +106,43 @@ optional_policy(` @@ -109,29 +107,43 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -55015,7 +55036,7 @@ index 49694e8..12483ae 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
@@ -145,9 +156,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) @@ -145,9 +157,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@ -55025,7 +55046,7 @@ index 49694e8..12483ae 100644
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t) dev_read_video_dev(policykit_auth_t)
@@ -157,53 +165,64 @@ files_search_home(policykit_auth_t) @@ -157,53 +166,64 @@ files_search_home(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t) fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t) fs_search_tmpfs(policykit_auth_t)
@ -55100,7 +55121,7 @@ index 49694e8..12483ae 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
@@ -211,23 +230,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t @@ -211,23 +231,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@ -55127,7 +55148,7 @@ index 49694e8..12483ae 100644
optional_policy(` optional_policy(`
consolekit_dbus_chat(policykit_grant_t) consolekit_dbus_chat(policykit_grant_t)
') ')
@@ -235,26 +251,28 @@ optional_policy(` @@ -235,26 +252,28 @@ optional_policy(`
######################################## ########################################
# #
@ -55162,7 +55183,7 @@ index 49694e8..12483ae 100644
userdom_read_all_users_state(policykit_resolve_t) userdom_read_all_users_state(policykit_resolve_t)
optional_policy(` optional_policy(`
@@ -266,6 +284,7 @@ optional_policy(` @@ -266,6 +285,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -66629,10 +66650,10 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t) xen_domtrans_xm(rgmanager_t)
') ')
diff --git a/rhcs.fc b/rhcs.fc diff --git a/rhcs.fc b/rhcs.fc
index 47de2d6..1f5dbf8 100644 index 47de2d6..347ddf7 100644
--- a/rhcs.fc --- a/rhcs.fc
+++ b/rhcs.fc +++ b/rhcs.fc
@@ -1,31 +1,74 @@ @@ -1,31 +1,80 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@ -66644,6 +66665,7 @@ index 47de2d6..1f5dbf8 100644
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) +/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) +/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) +/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) -/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@ -66654,14 +66676,16 @@ index 47de2d6..1f5dbf8 100644
-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) -/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) -/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) -/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) +/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0)
-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) -/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) -/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
- +/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-/var/log/cluster/.*\.*log <<none>> -/var/log/cluster/.*\.*log <<none>>
+/var/log/cluster/.*\.*log <<none>> +/var/log/cluster/.*\.*log <<none>>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
@ -66669,8 +66693,9 @@ index 47de2d6..1f5dbf8 100644
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) +/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) -/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) +/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
@ -66686,6 +66711,7 @@ index 47de2d6..1f5dbf8 100644
+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0) +/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+ +
+# cluster administrative domains file spec +# cluster administrative domains file spec
@ -66705,6 +66731,7 @@ index 47de2d6..1f5dbf8 100644
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+ +
@ -67437,7 +67464,7 @@ index 56bc01f..895e16e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms; + allow $1 cluster_unit_file_t:service all_service_perms;
') ')
diff --git a/rhcs.te b/rhcs.te diff --git a/rhcs.te b/rhcs.te
index 2c2de9a..2bf6984 100644 index 2c2de9a..1eaca34 100644
--- a/rhcs.te --- a/rhcs.te
+++ b/rhcs.te +++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@ -67468,7 +67495,21 @@ index 2c2de9a..2bf6984 100644
attribute cluster_domain; attribute cluster_domain;
attribute cluster_log; attribute cluster_log;
attribute cluster_pid; attribute cluster_pid;
@@ -50,28 +71,267 @@ rhcs_domain_template(qdiskd) @@ -44,34 +65,281 @@ type foghorn_initrc_exec_t;
init_script_file(foghorn_initrc_exec_t)
rhcs_domain_template(gfs_controld)
+rhcs_domain_template(haproxy)
+
+type haproxy_var_lib_t;
+files_type(haproxy_var_lib_t)
+
+type haproxy_unit_file_t;
+systemd_unit_file(haproxy_unit_file_t)
+
rhcs_domain_template(groupd)
rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t; type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t) files_type(qdiskd_var_lib_t)
@ -67740,7 +67781,7 @@ index 2c2de9a..2bf6984 100644
') ')
##################################### #####################################
@@ -79,7 +339,7 @@ optional_policy(` @@ -79,7 +347,7 @@ optional_policy(`
# dlm_controld local policy # dlm_controld local policy
# #
@ -67749,7 +67790,7 @@ index 2c2de9a..2bf6984 100644
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
@@ -98,6 +358,16 @@ fs_manage_configfs_dirs(dlm_controld_t) @@ -98,6 +366,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t)
@ -67766,7 +67807,7 @@ index 2c2de9a..2bf6984 100644
####################################### #######################################
# #
# fenced local policy # fenced local policy
@@ -105,9 +375,13 @@ init_rw_script_tmp_files(dlm_controld_t) @@ -105,9 +383,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource }; allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms }; allow fenced_t self:process { getsched signal_perms };
@ -67781,7 +67822,7 @@ index 2c2de9a..2bf6984 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file) files_lock_filetrans(fenced_t, fenced_lock_t, file)
@@ -118,9 +392,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) @@ -118,9 +400,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -67792,7 +67833,7 @@ index 2c2de9a..2bf6984 100644
corecmd_exec_bin(fenced_t) corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t) corecmd_exec_shell(fenced_t)
@@ -148,9 +421,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) @@ -148,9 +429,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t) dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t) dev_read_urand(fenced_t)
@ -67803,7 +67844,7 @@ index 2c2de9a..2bf6984 100644
storage_raw_read_fixed_disk(fenced_t) storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t)
@@ -160,7 +431,7 @@ term_getattr_pty_fs(fenced_t) @@ -160,7 +439,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t) term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t) term_use_ptmx(fenced_t)
@ -67812,7 +67853,7 @@ index 2c2de9a..2bf6984 100644
tunable_policy(`fenced_can_network_connect',` tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t) corenet_sendrecv_all_client_packets(fenced_t)
@@ -190,10 +461,6 @@ optional_policy(` @@ -190,10 +469,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -67823,7 +67864,7 @@ index 2c2de9a..2bf6984 100644
lvm_domtrans(fenced_t) lvm_domtrans(fenced_t)
lvm_read_config(fenced_t) lvm_read_config(fenced_t)
') ')
@@ -203,6 +470,13 @@ optional_policy(` @@ -203,6 +478,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t) snmp_manage_var_lib_dirs(fenced_t)
') ')
@ -67837,7 +67878,7 @@ index 2c2de9a..2bf6984 100644
####################################### #######################################
# #
# foghorn local policy # foghorn local policy
@@ -223,14 +497,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -223,14 +505,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t) dev_read_urand(foghorn_t)
@ -67856,7 +67897,7 @@ index 2c2de9a..2bf6984 100644
snmp_stream_connect(foghorn_t) snmp_stream_connect(foghorn_t)
') ')
@@ -257,6 +533,8 @@ storage_getattr_removable_dev(gfs_controld_t) @@ -257,6 +541,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t)
@ -67865,7 +67906,7 @@ index 2c2de9a..2bf6984 100644
optional_policy(` optional_policy(`
lvm_exec(gfs_controld_t) lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t)
@@ -275,10 +553,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) @@ -275,10 +561,36 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t) dev_list_sysfs(groupd_t)
@ -67874,11 +67915,37 @@ index 2c2de9a..2bf6984 100644
init_rw_script_tmp_files(groupd_t) init_rw_script_tmp_files(groupd_t)
+logging_send_syslog_msg(groupd_t) +logging_send_syslog_msg(groupd_t)
+
+########################################
+#
+# haproxy local policy
+#
+
+# bug in haproxy and process vs pid owner
+allow haproxy_t self:capability dac_override;
+
+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
+allow haproxy_t self:process { fork setrlimit signal_perms };
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
+allow haproxy_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_lnk_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
+
+corenet_tcp_connect_commplex_link_port(haproxy_t)
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
+
+sysnet_dns_name_resolve(haproxy_t)
+ +
###################################### ######################################
# #
# qdiskd local policy # qdiskd local policy
@@ -321,6 +599,8 @@ storage_raw_write_fixed_disk(qdiskd_t) @@ -321,6 +633,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t) auth_use_nsswitch(qdiskd_t)
@ -71013,7 +71080,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld; + allow rpm_script_t $1:process sigchld;
') ')
diff --git a/rpm.te b/rpm.te diff --git a/rpm.te b/rpm.te
index 5cbe81c..ff2b58e 100644 index 5cbe81c..94b945c 100644
--- a/rpm.te --- a/rpm.te
+++ b/rpm.te +++ b/rpm.te
@@ -1,15 +1,13 @@ @@ -1,15 +1,13 @@
@ -71412,7 +71479,7 @@ index 5cbe81c..ff2b58e 100644
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
optional_policy(` optional_policy(`
@@ -363,40 +379,54 @@ ifdef(`distro_redhat',` @@ -363,40 +379,58 @@ ifdef(`distro_redhat',`
') ')
') ')
@ -71436,11 +71503,15 @@ index 5cbe81c..ff2b58e 100644
optional_policy(` optional_policy(`
dbus_system_bus_client(rpm_script_t) dbus_system_bus_client(rpm_script_t)
+')
- optional_policy(` - optional_policy(`
- unconfined_dbus_chat(rpm_script_t) - unconfined_dbus_chat(rpm_script_t)
- ') - ')
+ optional_policy(`
+ systemd_dbus_chat_logind(rpm_script_t)
+ ')
+')
+
+optional_policy(` +optional_policy(`
+ lvm_domtrans(rpm_script_t, rpm_script_roles) + lvm_domtrans(rpm_script_t, rpm_script_roles)
+') +')
@ -71477,7 +71548,7 @@ index 5cbe81c..ff2b58e 100644
unconfined_domtrans(rpm_script_t) unconfined_domtrans(rpm_script_t)
optional_policy(` optional_policy(`
@@ -409,6 +439,6 @@ optional_policy(` @@ -409,6 +443,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -81602,10 +81673,10 @@ index 0000000..80c6480
+') +')
diff --git a/stapserver.te b/stapserver.te diff --git a/stapserver.te b/stapserver.te
new file mode 100644 new file mode 100644
index 0000000..3ac6ad7 index 0000000..e472397
--- /dev/null --- /dev/null
+++ b/stapserver.te +++ b/stapserver.te
@@ -0,0 +1,107 @@ @@ -0,0 +1,113 @@
+policy_module(stapserver, 1.0.0) +policy_module(stapserver, 1.0.0)
+ +
+######################################## +########################################
@ -81691,9 +81762,15 @@ index 0000000..3ac6ad7
+#lspci +#lspci
+miscfiles_read_hwdata(stapserver_t) +miscfiles_read_hwdata(stapserver_t)
+ +
+systemd_dbus_chat_logind(stapserver_t)
+
+userdom_use_user_terminals(stapserver_t) +userdom_use_user_terminals(stapserver_t)
+ +
+optional_policy(` +optional_policy(`
+ avahi_dbus_chat(stapserver_t)
+')
+
+optional_policy(`
+ consoletype_exec(stapserver_t) + consoletype_exec(stapserver_t)
+') +')
+ +

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 56%{?dist} Release: 57%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -539,6 +539,17 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Wed Jun 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-57
- Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
* Mon Jun 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-56 * Mon Jun 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-56
- Allow lvm_t to create default targets for filesystem handling - Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries - Fix labeling for razor-lightdm binaries