diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc index 1efe3549..1bd5812e 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc @@ -14,5 +14,7 @@ /var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0) /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) + +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if index 4b8a868a..b0b7d0f5 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -74,6 +74,25 @@ interface(`abrt_read_state',` ps_process_pattern($1, abrt_t) ') +######################################## +## +## Connect to abrt over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`abrt_stream_connect',` + gen_require(` + type abrt_t, abrt_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) +') + ######################################## ## ## Send and receive messages from @@ -215,6 +234,25 @@ interface(`abrt_read_pid_files',` read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') +###################################### +## +## Create, read, write, and delete abrt PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`abrt_manage_pid_files',` + gen_require(` + type abrt_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) +') + ##################################### ## ## All of the rules required to administrate diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te index a0e53b11..9ad724ff 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -1,5 +1,5 @@ -policy_module(abrt, 1.1.0) +policy_module(abrt, 1.1.1) ######################################## # @@ -76,10 +76,12 @@ manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) +files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) # abrt pid files manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) @@ -102,7 +104,6 @@ corenet_tcp_connect_ftp_port(abrt_t) corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) - dev_getattr_all_chr_files(abrt_t) dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) @@ -156,6 +157,12 @@ optional_policy(` policykit_read_reload(abrt_t) ') +optional_policy(` + prelink_exec(abrt_t) + libs_exec_ld_so(abrt_t) + corecmd_exec_all_executables(abrt_t) +') + # to install debuginfo packages optional_policy(` rpm_exec(abrt_t) @@ -180,11 +187,12 @@ optional_policy(` # abrt--helper local policy # -allow abrt_helper_t self:capability { chown setgid }; +allow abrt_helper_t self:capability { chown setgid sys_nice }; allow abrt_helper_t self:process signal; read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) +files_search_spool(abrt_helper_t) manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)