- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.

- Label /etc/yum.repos.d as system_conf_t
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
- Allow dac_override for sysadm_screen_t
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
- Allow netlabel-config to read meminfo
- Add interface to allow docker to mounton file_t
- Add new interface to exec unlabeled files
- Allow lvm to use docker semaphores
- Setup transitons for .xsessions-errors.old
- Change labels of files in /var/lib/*/.ssh to transition properly
- Allow staff_t and user_t to look at logs using journalctl
- pluto wants to manage own log file
- Allow pluto running as ipsec_t to create pluto.log
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
- Additional access for docker
- Added more rules to sblim policy
- Fix kdumpgui_run_bootloader boolean
- Allow dspam to connect to lmtp port
- Included sfcbd service into sblim policy
- rhsmcertd wants to manaage /etc/pki/consumer dir
- Add kdumpgui_run_bootloader boolean
- Add support for /var/cache/watchdog
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
- Fixes for handling libvirt containes
- Dontaudit attempts by mysql_safe to write content into /
- Dontaudit attempts by system_mail to modify network config
- Allow dspam to bind to lmtp ports
- Add new policy to allow staff_t and user_t to look at logs using journalctl
- Allow apache cgi scripts to list sysfs
- Dontaudit attempts to write/delete user_tmp_t files
This commit is contained in:
Miroslav Grepl 2013-11-06 09:11:46 +01:00
parent 47a93c4a0b
commit c5e7e5bb30
3 changed files with 838 additions and 478 deletions

File diff suppressed because it is too large Load Diff

View File

@ -520,7 +520,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
index cc43d25..097a770 100644
index cc43d25..924daba 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@ -685,7 +685,7 @@ index cc43d25..097a770 100644
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 1a82e29..d0d7c0b 100644
index 1a82e29..bfe87eb 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@ -6417,7 +6417,7 @@ index 1a82e29..d0d7c0b 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1077,172 +1333,104 @@ optional_policy(`
@@ -1077,172 +1333,106 @@ optional_policy(`
')
')
@ -6437,13 +6437,13 @@ index 1a82e29..d0d7c0b 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
+allow httpd_sys_script_t self:process getsched;
-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
+allow httpd_sys_script_t self:process getsched;
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@ -6451,29 +6451,30 @@ index 1a82e29..d0d7c0b 100644
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
-
-corecmd_exec_all_executables(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-corecmd_exec_all_executables(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-logging_search_logs(httpd_script_domains)
-libs_exec_ld_so(httpd_script_domains)
-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
-logging_search_logs(httpd_script_domains)
+dev_list_sysfs(httpd_sys_script_t)
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
@ -6653,7 +6654,7 @@ index 1a82e29..d0d7c0b 100644
')
tunable_policy(`httpd_read_user_content',`
@@ -1250,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',`
@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@ -6750,7 +6751,7 @@ index 1a82e29..d0d7c0b 100644
########################################
#
@@ -1315,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@ -6767,7 +6768,7 @@ index 1a82e29..d0d7c0b 100644
')
########################################
@@ -1324,49 +1529,38 @@ optional_policy(`
@@ -1324,49 +1531,38 @@ optional_policy(`
# User content local policy
#
@ -6832,7 +6833,7 @@ index 1a82e29..d0d7c0b 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1376,38 +1570,99 @@ dev_read_urand(httpd_passwd_t)
@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@ -21394,15 +21395,19 @@ index 41c3f67..653a1ec 100644
## <summary>
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
index c947c2c..441d3f4 100644
index c947c2c..8d4d843 100644
--- a/dmidecode.te
+++ b/dmidecode.te
@@ -29,4 +29,4 @@ files_list_usr(dmidecode_t)
@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
+
+optional_policy(`
+ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808..4a801b5 100644
--- a/dnsmasq.fc
@ -22127,10 +22132,10 @@ index 0000000..097c75c
+')
diff --git a/docker.te b/docker.te
new file mode 100644
index 0000000..939365d
index 0000000..1229d66
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,130 @@
@@ -0,0 +1,133 @@
+policy_module(docker, 1.0.0)
+
+########################################
@ -22212,6 +22217,7 @@ index 0000000..939365d
+mount_domtrans(docker_t)
+
+sysnet_dns_name_resolve(docker_t)
+sysnet_exec_ifconfig(docker_t)
+
+optional_policy(`
+ fstools_domtrans(docker_t)
@ -22226,7 +22232,7 @@ index 0000000..939365d
+#
+
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
+allow docker_t self:process setsched;
+allow docker_t self:process { setsched signal_perms };
+allow docker_t self:netlink_route_socket nlmsg_write;
+allow docker_t self:unix_dgram_socket create_socket_perms;
+
@ -22236,6 +22242,8 @@ index 0000000..939365d
+
+dev_getattr_all_blk_files(docker_t)
+dev_read_urand(docker_t)
+dev_read_lvm_control(docker_t)
+dev_read_sysfs(docker_t)
+
+files_manage_isid_type_dirs(docker_t)
+files_manage_isid_type_files(docker_t)
@ -22255,12 +22263,12 @@ index 0000000..939365d
+term_use_ptmx(docker_t)
+term_getattr_pty_fs(docker_t)
+
+dev_read_lvm_control(docker_t)
+modutils_domtrans_insmod(docker_t)
+
+gen_require(`
+type lvm_t;
+optional_policy(`
+ virt_read_config(docker_t)
+ virt_exec(docker_t)
+')
+docker_rw_sem(lvm_t)
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
@ -23429,7 +23437,7 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
index 266cb8f..c736297 100644
index 266cb8f..b619351 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@ -23442,17 +23450,20 @@ index 266cb8f..c736297 100644
allow dspam_t self:fifo_file rw_fifo_file_perms;
allow dspam_t self:unix_stream_socket { accept listen };
@@ -58,20 +61,42 @@ corenet_tcp_bind_spamd_port(dspam_t)
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
corenet_tcp_bind_spamd_port(dspam_t)
corenet_tcp_connect_spamd_port(dspam_t)
corenet_tcp_sendrecv_spamd_port(dspam_t)
+corenet_tcp_bind_lmtp_port(dspam_t)
+corenet_tcp_connect_lmtp_port(dspam_t)
+
+kernel_read_system_state(dspam_t)
+
+corecmd_exec_shell(dspam_t)
+
files_search_spool(dspam_t)
auth_use_nsswitch(dspam_t)
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
@ -23489,7 +23500,7 @@ index 266cb8f..c736297 100644
')
optional_policy(`
@@ -87,3 +112,12 @@ optional_policy(`
@@ -87,3 +114,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
@ -32392,6 +32403,145 @@ index d59ec10..dec1b3b 100644
modutils_read_module_config(jockey_t)
+ modutils_list_module_config(jockey_t)
')
diff --git a/journalctl.fc b/journalctl.fc
new file mode 100644
index 0000000..f270652
--- /dev/null
+++ b/journalctl.fc
@@ -0,0 +1 @@
+/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0)
diff --git a/journalctl.if b/journalctl.if
new file mode 100644
index 0000000..9d32f23
--- /dev/null
+++ b/journalctl.if
@@ -0,0 +1,76 @@
+
+## <summary>policy for journalctl</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the journalctl domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`journalctl_domtrans',`
+ gen_require(`
+ type journalctl_t, journalctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, journalctl_exec_t, journalctl_t)
+')
+
+########################################
+## <summary>
+## Execute journalctl in the journalctl domain, and
+## allow the specified role the journalctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the journalctl domain.
+## </summary>
+## </param>
+#
+interface(`journalctl_run',`
+ gen_require(`
+ type journalctl_t;
+ attribute_role journalctl_roles;
+ ')
+
+ journalctl_domtrans($1)
+ roleattribute $2 journalctl_roles;
+')
+
+########################################
+## <summary>
+## Role access for journalctl
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`journalctl_role',`
+ gen_require(`
+ type journalctl_t;
+ attribute_role journalctl_roles;
+ ')
+
+ roleattribute $1 journalctl_roles;
+
+ journalctl_domtrans($2)
+
+ ps_process_pattern($2, journalctl_t)
+ allow $2 journalctl_t:process { signull signal sigkill };
+')
diff --git a/journalctl.te b/journalctl.te
new file mode 100644
index 0000000..5de3229
--- /dev/null
+++ b/journalctl.te
@@ -0,0 +1,44 @@
+policy_module(journalctl, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role journalctl_roles;
+roleattribute system_r journalctl_roles;
+
+type journalctl_t;
+type journalctl_exec_t;
+application_domain(journalctl_t, journalctl_exec_t)
+
+role journalctl_roles types journalctl_t;
+
+########################################
+#
+# journalctl local policy
+#
+allow journalctl_t self:process { fork signal_perms };
+
+allow journalctl_t self:fifo_file manage_fifo_file_perms;
+allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(journalctl_t)
+
+corecmd_exec_bin(journalctl_t)
+
+domain_use_interactive_fds(journalctl_t)
+
+files_read_etc_files(journalctl_t)
+
+fs_getattr_all_fs(journalctl_t)
+
+userdom_list_user_home_dirs(journalctl_t)
+userdom_read_user_home_content_files(journalctl_t)
+userdom_use_inherited_user_ptys(journalctl_t)
+userdom_write_inherited_user_tmp_files(journalctl_t)
+userdom_rw_inherited_user_tmpfs_files(journalctl_t)
+userdom_rw_inherited_user_home_content_files(journalctl_t)
+
+miscfiles_read_localization(journalctl_t)
+logging_read_generic_logs(journalctl_t)
diff --git a/kde.fc b/kde.fc
new file mode 100644
index 0000000..25e4b68
@ -32965,17 +33115,25 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
index e7f5c81..1a8d69e 100644
index e7f5c81..8c75bc8 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -1,4 +1,4 @@
@@ -1,83 +1,92 @@
-policy_module(kdumpgui, 1.1.4)
+policy_module(kdumpgui, 1.1.0)
########################################
#
@@ -7,77 +7,73 @@ policy_module(kdumpgui, 1.1.4)
# Declarations
#
+## <desc>
+## <p>
+## Allow s-c-kdump to run bootloader in bootloader_t.
+## </p>
+## </desc>
+gen_tunable(kdumpgui_run_bootloader, false)
+
type kdumpgui_t;
type kdumpgui_exec_t;
-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
@ -33054,8 +33212,14 @@ index e7f5c81..1a8d69e 100644
optional_policy(`
- consoletype_exec(kdumpgui_t)
+ bootloader_exec(kdumpgui_t)
+ bootloader_manage_config(kdumpgui_t)
+ tunable_policy(`kdumpgui_run_bootloader',`
+ bootloader_domtrans(kdumpgui_t)
+ #if s-c-kdump is involved
+ bootloader_manage_config(kdumpgui_t)
+ ',`
+ bootloader_exec(kdumpgui_t)
+ bootloader_manage_config(kdumpgui_t)
+ ')
')
optional_policy(`
@ -33067,7 +33231,7 @@ index e7f5c81..1a8d69e 100644
')
optional_policy(`
@@ -87,4 +83,10 @@ optional_policy(`
@@ -87,4 +96,10 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@ -43460,7 +43624,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
index afd2fad..79fe381 100644
index afd2fad..09ebbbe 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@ -43490,7 +43654,7 @@ index afd2fad..79fe381 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
@@ -43,178 +43,78 @@ role system_r types system_mail_t;
@@ -43,178 +43,79 @@ role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
@ -43624,11 +43788,12 @@ index afd2fad..79fe381 100644
+# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-
+dontaudit system_mail_t self:capability net_admin;
allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
@ -43705,7 +43870,7 @@ index afd2fad..79fe381 100644
')
optional_policy(`
@@ -223,18 +123,18 @@ optional_policy(`
@@ -223,18 +124,18 @@ optional_policy(`
')
optional_policy(`
@ -43727,7 +43892,7 @@ index afd2fad..79fe381 100644
courier_manage_spool_dirs(system_mail_t)
courier_manage_spool_files(system_mail_t)
courier_rw_spool_pipes(system_mail_t)
@@ -245,13 +145,8 @@ optional_policy(`
@@ -245,13 +146,8 @@ optional_policy(`
')
optional_policy(`
@ -43742,7 +43907,7 @@ index afd2fad..79fe381 100644
fail2ban_rw_inherited_tmp_files(system_mail_t)
')
@@ -264,10 +159,15 @@ optional_policy(`
@@ -264,10 +160,15 @@ optional_policy(`
')
optional_policy(`
@ -43758,7 +43923,7 @@ index afd2fad..79fe381 100644
nagios_read_tmp_files(system_mail_t)
')
@@ -278,6 +178,15 @@ optional_policy(`
@@ -278,6 +179,15 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@ -43774,7 +43939,7 @@ index afd2fad..79fe381 100644
')
optional_policy(`
@@ -293,42 +202,36 @@ optional_policy(`
@@ -293,42 +203,36 @@ optional_policy(`
')
optional_policy(`
@ -43827,7 +43992,7 @@ index afd2fad..79fe381 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@ -43876,7 +44041,7 @@ index afd2fad..79fe381 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
@@ -387,24 +276,173 @@ optional_policy(`
@@ -387,24 +277,173 @@ optional_policy(`
########################################
#
@ -45201,7 +45366,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
index 9f6179e..cc14cbc 100644
index 9f6179e..4383f87 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@ -45412,7 +45577,7 @@ index 9f6179e..cc14cbc 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
@@ -183,21 +185,26 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@ -45427,6 +45592,7 @@ index 9f6179e..cc14cbc 100644
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+files_dontaudit_write_root_dirs(mysqld_safe_t)
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@ -45445,7 +45611,7 @@ index 9f6179e..cc14cbc 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
@@ -205,7 +212,7 @@ optional_policy(`
@@ -205,7 +213,7 @@ optional_policy(`
########################################
#
@ -45454,7 +45620,7 @@ index 9f6179e..cc14cbc 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
@@ -214,11 +221,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@ -45472,7 +45638,7 @@ index 9f6179e..cc14cbc 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
@@ -226,31 +234,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@ -72825,7 +72991,7 @@ index 0000000..0e965c3
+ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.if b/rhsmcertd.if
index 6dbc905..d803796 100644
index 6dbc905..78746ef 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
@ -72921,26 +73087,47 @@ index 6dbc905..d803796 100644
## </summary>
## <param name="domain">
## <summary>
@@ -198,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',`
@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
allow $1 rhsmcertd_var_run_t:file read_file_perms;
')
####################################
-####################################
+########################################
## <summary>
-## Connect to rhsmcertd with a
-## unix domain stream socket.
+## Connect to rhsmcertd over a unix domain
+## stream socket.
+## Read/wirte inherited lock files.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
## <summary>
@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
## </summary>
## </param>
#
+interface(`rhsmcertd_rw_inherited_lock_files',`
+ gen_require(`
+ type rhsmcertd_lock_t;
+ ')
+
+ files_search_locks($1)
+ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
+')
+
+####################################
+## <summary>
+## Connect to rhsmcertd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
+## </param>
+#
interface(`rhsmcertd_stream_connect',`
@@ -239,30 +235,29 @@ interface(`rhsmcertd_dbus_chat',`
gen_require(`
type rhsmcertd_t, rhsmcertd_var_run_t;
@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
## <summary>
@ -72984,7 +73171,7 @@ index 6dbc905..d803796 100644
## </summary>
## <param name="domain">
## <summary>
@@ -270,35 +265,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
## </summary>
## </param>
## <param name="role">
@ -73016,24 +73203,24 @@ index 6dbc905..d803796 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
+
- logging_search_logs($1)
- admin_pattern($1, rhsmcertd_log_t)
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
- logging_search_logs($1)
- admin_pattern($1, rhsmcertd_log_t)
- files_search_var_lib($1)
- admin_pattern($1, rhsmcertd_var_lib_t)
+ logging_search_logs($1)
+ admin_pattern($1, rhsmcertd_log_t)
- files_search_var_lib($1)
- admin_pattern($1, rhsmcertd_var_lib_t)
+ files_search_var_lib($1)
+ admin_pattern($1, rhsmcertd_var_lib_t)
- files_search_pids($1)
- admin_pattern($1, rhsmcertd_var_run_t)
+ files_search_var_lib($1)
+ admin_pattern($1, rhsmcertd_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
@ -73044,10 +73231,10 @@ index 6dbc905..d803796 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index 1cedd70..6508b1e 100644
index 1cedd70..0369e30 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
#
allow rhsmcertd_t self:capability sys_nice;
@ -73057,7 +73244,15 @@ index 1cedd70..6508b1e 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@ -73075,6 +73270,7 @@ index 1cedd70..6508b1e 100644
-files_read_etc_files(rhsmcertd_t)
-files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+files_manage_system_conf_files(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
@ -73084,7 +73280,8 @@ index 1cedd70..6508b1e 100644
+
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_read_certs(rhsmcertd_t)
+miscfiles_manage_cert_files(rhsmcertd_t)
+miscfiles_manage_cert_dirs(rhsmcertd_t)
sysnet_dns_name_resolve(rhsmcertd_t)
@ -80756,6 +80953,21 @@ index a63b875..1c9e41b 100644
')
optional_policy(`
diff --git a/sblim.fc b/sblim.fc
index 68a550d..e976fc6 100644
--- a/sblim.fc
+++ b/sblim.fc
@@ -1,6 +1,10 @@
/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
+/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0)
+
+/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0)
/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/sblim.if b/sblim.if
index 98c9e0a..df51942 100644
--- a/sblim.if
@ -80858,10 +81070,10 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
index 4a23d84..d90604c 100644
index 4a23d84..fcd1610 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
attribute sblim_domain;
@ -80874,12 +81086,38 @@ index 4a23d84..d90604c 100644
-type sblim_reposd_exec_t;
-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
+sblim_domain_template(reposd)
+
+sblim_domain_template(sfcbd)
type sblim_initrc_exec_t;
init_script_file(sblim_initrc_exec_t)
@@ -33,10 +29,7 @@ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
@@ -21,6 +19,12 @@ init_script_file(sblim_initrc_exec_t)
type sblim_var_run_t;
files_pid_file(sblim_var_run_t)
+type sblim_var_lib_t;
+files_type(sblim_var_lib_t)
+
+type sblim_tmp_t;
+files_tmp_file(sblim_tmp_t)
+
######################################
#
# Common sblim domain local policy
@@ -32,11 +36,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
+files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
+
kernel_read_network_state(sblim_domain)
-kernel_read_system_state(sblim_domain)
@ -80888,7 +81126,7 @@ index 4a23d84..d90604c 100644
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
@@ -44,19 +55,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
@ -80911,7 +81149,7 @@ index 4a23d84..d90604c 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
@@ -84,6 +91,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@ -80920,7 +81158,7 @@ index 4a23d84..d90604c 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
@@ -103,8 +94,9 @@ optional_policy(`
@@ -103,8 +112,9 @@ optional_policy(`
')
optional_policy(`
@ -80931,7 +81169,7 @@ index 4a23d84..d90604c 100644
')
optional_policy(`
@@ -117,6 +109,10 @@ optional_policy(`
@@ -117,6 +127,25 @@ optional_policy(`
# Reposd local policy
#
@ -80943,6 +81181,21 @@ index 4a23d84..d90604c 100644
+
+logging_send_syslog_msg(sblim_reposd_t)
+
+#######################################
+#
+# Sfcbd local policy
+#
+
+allow sblim_sfcbd_t self:capability { sys_ptrace setgid };
+allow sblim_sfcbd_t self:process signal;
+
+auth_use_nsswitch(sblim_sfcbd_t)
+
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
+
diff --git a/screen.fc b/screen.fc
index ac04d27..b73334e 100644
--- a/screen.fc
@ -89522,10 +89775,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
index 0000000..1a7c61d
index 0000000..b57cc3c
--- /dev/null
+++ b/thumb.te
@@ -0,0 +1,148 @@
@@ -0,0 +1,149 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@ -89625,7 +89878,8 @@ index 0000000..1a7c61d
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+userdom_exec_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
+userdom_dontaudit_write_user_tmp_files(thumb_t)
+userdom_dontaudit_delete_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
+
@ -94024,7 +94278,7 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
index 1f22fba..d798c85 100644
index 1f22fba..62390bf 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,167 @@
@ -95921,7 +96175,7 @@ index 1f22fba..d798c85 100644
+#
+
+optional_policy(`
+ type virt_qemu_ga_unconfined_t, virt_domain;
+ type virt_qemu_ga_unconfined_t;
+ domain_type(virt_qemu_ga_unconfined_t)
+
+ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
@ -96446,13 +96700,40 @@ index 9329eae..824e86f 100644
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
-')
diff --git a/watchdog.fc b/watchdog.fc
index eecd0e0..50248a7 100644
--- a/watchdog.fc
+++ b/watchdog.fc
@@ -2,6 +2,8 @@
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0)
+
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.te b/watchdog.te
index 29f79e8..9e403ee 100644
index 29f79e8..1d43690 100644
--- a/watchdog.te
+++ b/watchdog.te
@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms;
@@ -12,6 +12,9 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
type watchdog_initrc_exec_t;
init_script_file(watchdog_initrc_exec_t)
+type watchdog_cache_t;
+files_type(watchdog_cache_t)
+
type watchdog_log_t;
logging_log_file(watchdog_log_t)
@@ -29,8 +32,12 @@ allow watchdog_t self:process { setsched signal_perms };
allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:tcp_socket { accept listen };
+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
+
allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
@ -96460,7 +96741,7 @@ index 29f79e8..9e403ee 100644
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t)
@@ -63,7 +70,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@ -96468,7 +96749,7 @@ index 29f79e8..9e403ee 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t)
@@ -75,8 +81,6 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 96%{?dist}
Release: 97%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -573,6 +573,44 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-97
- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
- Label /etc/yum.repos.d as system_conf_t
- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
- Allow dac_override for sysadm_screen_t
- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
- Allow netlabel-config to read meminfo
- Add interface to allow docker to mounton file_t
- Add new interface to exec unlabeled files
- Allow lvm to use docker semaphores
- Setup transitons for .xsessions-errors.old
- Change labels of files in /var/lib/*/.ssh to transition properly
- Allow staff_t and user_t to look at logs using journalctl
- pluto wants to manage own log file
- Allow pluto running as ipsec_t to create pluto.log
- Fix alias decl in corenetwork.te.in
- Add support for fuse.glusterfs
- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
- Additional access for docker
- Added more rules to sblim policy
- Fix kdumpgui_run_bootloader boolean
- Allow dspam to connect to lmtp port
- Included sfcbd service into sblim policy
- rhsmcertd wants to manaage /etc/pki/consumer dir
- Add kdumpgui_run_bootloader boolean
- Add support for /var/cache/watchdog
- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
- Fixes for handling libvirt containes
- Dontaudit attempts by mysql_safe to write content into /
- Dontaudit attempts by system_mail to modify network config
- Allow dspam to bind to lmtp ports
- Add new policy to allow staff_t and user_t to look at logs using journalctl
- Allow apache cgi scripts to list sysfs
- Dontaudit attempts to write/delete user_tmp_t files
- Allow all antivirus domains to manage also own log dirs
- Allow pegasus_openlmi_services_t to stream connect to sssd_t
* Fri Nov 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
- Add missing permission checks for nscd