- Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages - Fixes fpr ddclient policy - Fix sasl_admin interface - Allow apache to search zarafa config - Allow munin plugins to search /var/lib directory - Allow gpsd to read sysfs_t - Fix labels on /etc/mcelog/triggers to bin_t
This commit is contained in:
parent
763342ad3a
commit
cbb8d59931
273
policy-F15.patch
273
policy-F15.patch
@ -3957,7 +3957,7 @@ index 9a6d67d..b0c1197 100644
|
||||
## mozilla over dbus.
|
||||
## </summary>
|
||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||
index cbf4bec..9024e9a 100644
|
||||
index cbf4bec..62796d8 100644
|
||||
--- a/policy/modules/apps/mozilla.te
|
||||
+++ b/policy/modules/apps/mozilla.te
|
||||
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
|
||||
@ -4030,7 +4030,7 @@ index cbf4bec..9024e9a 100644
|
||||
pulseaudio_exec(mozilla_t)
|
||||
pulseaudio_stream_connect(mozilla_t)
|
||||
pulseaudio_manage_home_files(mozilla_t)
|
||||
@@ -266,3 +291,128 @@ optional_policy(`
|
||||
@@ -266,3 +291,129 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
thunderbird_domtrans(mozilla_t)
|
||||
')
|
||||
@ -4101,6 +4101,7 @@ index cbf4bec..9024e9a 100644
|
||||
+
|
||||
+miscfiles_read_localization(mozilla_plugin_t)
|
||||
+miscfiles_read_fonts(mozilla_plugin_t)
|
||||
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
|
||||
+
|
||||
+sysnet_dns_name_resolve(mozilla_plugin_t)
|
||||
+
|
||||
@ -7385,10 +7386,21 @@ index 82842a0..369c3b5 100644
|
||||
dbus_system_bus_client($1_wm_t)
|
||||
dbus_session_bus_client($1_wm_t)
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 34c9d01..94ec653 100644
|
||||
index 34c9d01..4842e56 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
|
||||
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
|
||||
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
|
||||
-/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
|
||||
+/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -128,8 +130,8 @@ ifdef(`distro_debian',`
|
||||
|
||||
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -7398,7 +7410,7 @@ index 34c9d01..94ec653 100644
|
||||
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@@ -307,6 +307,7 @@ ifdef(`distro_redhat', `
|
||||
@@ -307,6 +309,7 @@ ifdef(`distro_redhat', `
|
||||
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
@ -13273,7 +13285,7 @@ index 9e39aa5..3bfac20 100644
|
||||
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
|
||||
index c9e1a44..ef353c7 100644
|
||||
index c9e1a44..1a1ba36 100644
|
||||
--- a/policy/modules/services/apache.if
|
||||
+++ b/policy/modules/services/apache.if
|
||||
@@ -13,17 +13,13 @@
|
||||
@ -13541,7 +13553,7 @@ index c9e1a44..ef353c7 100644
|
||||
## Apache cache.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -544,6 +580,27 @@ interface(`apache_delete_cache_files',`
|
||||
@@ -544,6 +580,26 @@ interface(`apache_delete_cache_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13553,7 +13565,6 @@ index c9e1a44..ef353c7 100644
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`apache_search_config',`
|
||||
+ gen_require(`
|
||||
@ -13569,7 +13580,7 @@ index c9e1a44..ef353c7 100644
|
||||
## Allow the specified domain to read
|
||||
## apache configuration files.
|
||||
## </summary>
|
||||
@@ -694,7 +751,7 @@ interface(`apache_dontaudit_append_log',`
|
||||
@@ -694,7 +750,7 @@ interface(`apache_dontaudit_append_log',`
|
||||
type httpd_log_t;
|
||||
')
|
||||
|
||||
@ -13578,7 +13589,7 @@ index c9e1a44..ef353c7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -740,6 +797,25 @@ interface(`apache_dontaudit_search_modules',`
|
||||
@@ -740,6 +796,25 @@ interface(`apache_dontaudit_search_modules',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -13604,7 +13615,7 @@ index c9e1a44..ef353c7 100644
|
||||
## Allow the specified domain to list
|
||||
## the contents of the apache modules
|
||||
## directory.
|
||||
@@ -756,6 +832,7 @@ interface(`apache_list_modules',`
|
||||
@@ -756,6 +831,7 @@ interface(`apache_list_modules',`
|
||||
')
|
||||
|
||||
allow $1 httpd_modules_t:dir list_dir_perms;
|
||||
@ -13612,7 +13623,7 @@ index c9e1a44..ef353c7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -814,6 +891,7 @@ interface(`apache_list_sys_content',`
|
||||
@@ -814,6 +890,7 @@ interface(`apache_list_sys_content',`
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||||
@ -13620,7 +13631,7 @@ index c9e1a44..ef353c7 100644
|
||||
files_search_var($1)
|
||||
')
|
||||
|
||||
@@ -841,6 +919,74 @@ interface(`apache_manage_sys_content',`
|
||||
@@ -841,6 +918,74 @@ interface(`apache_manage_sys_content',`
|
||||
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
||||
')
|
||||
|
||||
@ -13695,7 +13706,7 @@ index c9e1a44..ef353c7 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute all web scripts in the system
|
||||
@@ -857,7 +1003,11 @@ interface(`apache_manage_sys_content',`
|
||||
@@ -857,7 +1002,11 @@ interface(`apache_manage_sys_content',`
|
||||
interface(`apache_domtrans_sys_script',`
|
||||
gen_require(`
|
||||
attribute httpdcontent;
|
||||
@ -13708,7 +13719,7 @@ index c9e1a44..ef353c7 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
@@ -916,9 +1066,10 @@ interface(`apache_domtrans_all_scripts',`
|
||||
@@ -916,9 +1065,10 @@ interface(`apache_domtrans_all_scripts',`
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
@ -13720,7 +13731,7 @@ index c9e1a44..ef353c7 100644
|
||||
#
|
||||
interface(`apache_run_all_scripts',`
|
||||
gen_require(`
|
||||
@@ -945,7 +1096,7 @@ interface(`apache_read_squirrelmail_data',`
|
||||
@@ -945,7 +1095,7 @@ interface(`apache_read_squirrelmail_data',`
|
||||
type httpd_squirrelmail_t;
|
||||
')
|
||||
|
||||
@ -13729,7 +13740,7 @@ index c9e1a44..ef353c7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1086,6 +1237,25 @@ interface(`apache_read_tmp_files',`
|
||||
@@ -1086,6 +1236,25 @@ interface(`apache_read_tmp_files',`
|
||||
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
||||
')
|
||||
|
||||
@ -13755,7 +13766,7 @@ index c9e1a44..ef353c7 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Dontaudit attempts to write
|
||||
@@ -1102,7 +1272,7 @@ interface(`apache_dontaudit_write_tmp_files',`
|
||||
@@ -1102,7 +1271,7 @@ interface(`apache_dontaudit_write_tmp_files',`
|
||||
type httpd_tmp_t;
|
||||
')
|
||||
|
||||
@ -13764,7 +13775,7 @@ index c9e1a44..ef353c7 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1165,17 +1335,14 @@ interface(`apache_cgi_domain',`
|
||||
@@ -1165,17 +1334,14 @@ interface(`apache_cgi_domain',`
|
||||
#
|
||||
interface(`apache_admin',`
|
||||
gen_require(`
|
||||
@ -13786,7 +13797,7 @@ index c9e1a44..ef353c7 100644
|
||||
ps_process_pattern($1, httpd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
||||
@@ -1186,10 +1353,10 @@ interface(`apache_admin',`
|
||||
@@ -1186,10 +1352,10 @@ interface(`apache_admin',`
|
||||
apache_manage_all_content($1)
|
||||
miscfiles_manage_public_files($1)
|
||||
|
||||
@ -13799,7 +13810,7 @@ index c9e1a44..ef353c7 100644
|
||||
admin_pattern($1, httpd_log_t)
|
||||
|
||||
admin_pattern($1, httpd_modules_t)
|
||||
@@ -1200,14 +1367,43 @@ interface(`apache_admin',`
|
||||
@@ -1200,14 +1366,43 @@ interface(`apache_admin',`
|
||||
admin_pattern($1, httpd_var_run_t)
|
||||
files_pid_filetrans($1, httpd_var_run_t, file)
|
||||
|
||||
@ -13849,7 +13860,7 @@ index c9e1a44..ef353c7 100644
|
||||
+ dontaudit $1 httpd_tmp_t:file { read write };
|
||||
')
|
||||
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
|
||||
index 08dfa0c..973fdf0 100644
|
||||
index 08dfa0c..84e9bea 100644
|
||||
--- a/policy/modules/services/apache.te
|
||||
+++ b/policy/modules/services/apache.te
|
||||
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
|
||||
@ -14453,18 +14464,19 @@ index 08dfa0c..973fdf0 100644
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -603,6 +800,10 @@ optional_policy(`
|
||||
@@ -603,6 +800,11 @@ optional_policy(`
|
||||
yam_read_content(httpd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ zarafa_stream_connect_server(httpd_t)
|
||||
+ zarafa_search_config(httpd_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Apache helper local policy
|
||||
@@ -618,6 +819,10 @@ logging_send_syslog_msg(httpd_helper_t)
|
||||
@@ -618,6 +820,10 @@ logging_send_syslog_msg(httpd_helper_t)
|
||||
|
||||
userdom_use_user_terminals(httpd_helper_t)
|
||||
|
||||
@ -14475,7 +14487,7 @@ index 08dfa0c..973fdf0 100644
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -654,28 +859,27 @@ libs_exec_lib_files(httpd_php_t)
|
||||
@@ -654,28 +860,27 @@ libs_exec_lib_files(httpd_php_t)
|
||||
userdom_use_unpriv_users_fds(httpd_php_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
@ -14516,7 +14528,7 @@ index 08dfa0c..973fdf0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -699,17 +903,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
@@ -699,17 +904,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
@ -14542,7 +14554,7 @@ index 08dfa0c..973fdf0 100644
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -740,10 +949,20 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
@@ -740,10 +950,20 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -14564,7 +14576,7 @@ index 08dfa0c..973fdf0 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -769,6 +988,25 @@ optional_policy(`
|
||||
@@ -769,6 +989,25 @@ optional_policy(`
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -14590,7 +14602,7 @@ index 08dfa0c..973fdf0 100644
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -792,9 +1030,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
@@ -792,9 +1031,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
files_search_var_lib(httpd_sys_script_t)
|
||||
files_search_spool(httpd_sys_script_t)
|
||||
|
||||
@ -14604,7 +14616,7 @@ index 08dfa0c..973fdf0 100644
|
||||
ifdef(`distro_redhat',`
|
||||
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
||||
')
|
||||
@@ -803,6 +1045,33 @@ tunable_policy(`httpd_can_sendmail',`
|
||||
@@ -803,6 +1046,33 @@ tunable_policy(`httpd_can_sendmail',`
|
||||
mta_send_mail(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -14638,7 +14650,7 @@ index 08dfa0c..973fdf0 100644
|
||||
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
||||
@@ -822,7 +1091,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
@@ -822,7 +1092,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
@ -14647,7 +14659,7 @@ index 08dfa0c..973fdf0 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -830,6 +1099,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -830,6 +1100,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -14668,7 +14680,7 @@ index 08dfa0c..973fdf0 100644
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -842,10 +1125,20 @@ optional_policy(`
|
||||
@@ -842,10 +1126,20 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -14689,7 +14701,7 @@ index 08dfa0c..973fdf0 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -891,11 +1184,21 @@ optional_policy(`
|
||||
@@ -891,11 +1185,21 @@ optional_policy(`
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||
@ -18812,6 +18824,55 @@ index 0a1a61b..da508f4 100644
|
||||
')
|
||||
|
||||
allow $1 ddclient_t:process { ptrace signal_perms };
|
||||
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
|
||||
index 24ba98a..0910356 100644
|
||||
--- a/policy/modules/services/ddclient.te
|
||||
+++ b/policy/modules/services/ddclient.te
|
||||
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
|
||||
type ddclient_log_t;
|
||||
logging_log_file(ddclient_log_t)
|
||||
|
||||
+type ddclient_tmp_t;
|
||||
+files_tmp_file(ddclient_tmp_t)
|
||||
+
|
||||
type ddclient_var_t;
|
||||
files_type(ddclient_var_t)
|
||||
|
||||
@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms;
|
||||
allow ddclient_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ddclient_t self:tcp_socket create_socket_perms;
|
||||
allow ddclient_t self:udp_socket create_socket_perms;
|
||||
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow ddclient_t ddclient_etc_t:file read_file_perms;
|
||||
|
||||
allow ddclient_t ddclient_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(ddclient_t, ddclient_log_t, file)
|
||||
|
||||
+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
|
||||
+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
|
||||
+
|
||||
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
|
||||
corenet_udp_sendrecv_generic_node(ddclient_t)
|
||||
corenet_tcp_sendrecv_all_ports(ddclient_t)
|
||||
corenet_udp_sendrecv_all_ports(ddclient_t)
|
||||
+corenet_tcp_bind_generic_node(ddclient_t)
|
||||
+corenet_udp_bind_generic_node(ddclient_t)
|
||||
corenet_tcp_connect_all_ports(ddclient_t)
|
||||
corenet_sendrecv_all_client_packets(ddclient_t)
|
||||
|
||||
@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t)
|
||||
fs_getattr_all_fs(ddclient_t)
|
||||
fs_search_auto_mountpoints(ddclient_t)
|
||||
|
||||
+mta_send_mail(ddclient_t)
|
||||
+
|
||||
logging_send_syslog_msg(ddclient_t)
|
||||
|
||||
miscfiles_read_localization(ddclient_t)
|
||||
diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
|
||||
index 567865f..9c9e65c 100644
|
||||
--- a/policy/modules/services/denyhosts.if
|
||||
@ -21686,10 +21747,19 @@ index a627b34..c899c61 100644
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(gpm_t)
|
||||
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
|
||||
index 03742d8..7b9c543 100644
|
||||
index 03742d8..2a87d1e 100644
|
||||
--- a/policy/modules/services/gpsd.te
|
||||
+++ b/policy/modules/services/gpsd.te
|
||||
@@ -56,6 +56,10 @@ logging_send_syslog_msg(gpsd_t)
|
||||
@@ -46,6 +46,8 @@ corenet_tcp_sendrecv_all_ports(gpsd_t)
|
||||
corenet_tcp_bind_all_nodes(gpsd_t)
|
||||
corenet_tcp_bind_gpsd_port(gpsd_t)
|
||||
|
||||
+dev_read_sysfs(gpsd_t)
|
||||
+
|
||||
term_use_unallocated_ttys(gpsd_t)
|
||||
term_setattr_unallocated_ttys(gpsd_t)
|
||||
|
||||
@@ -56,6 +58,10 @@ logging_send_syslog_msg(gpsd_t)
|
||||
miscfiles_read_localization(gpsd_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -24631,7 +24701,7 @@ index 343cee3..2f948ad 100644
|
||||
+ ')
|
||||
+')
|
||||
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
|
||||
index 64268e4..1acd149 100644
|
||||
index 64268e4..6543734 100644
|
||||
--- a/policy/modules/services/mta.te
|
||||
+++ b/policy/modules/services/mta.te
|
||||
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
|
||||
@ -24645,13 +24715,14 @@ index 64268e4..1acd149 100644
|
||||
|
||||
type mqueue_spool_t;
|
||||
files_mountpoint(mqueue_spool_t)
|
||||
@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t)
|
||||
@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t)
|
||||
|
||||
# newalias required this, not sure if it is needed in 'if' file
|
||||
allow system_mail_t self:capability { dac_override fowner };
|
||||
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
|
||||
-
|
||||
|
||||
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
|
||||
+allow system_mail_t mail_home_t:file manage_file_perms;
|
||||
|
||||
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
|
||||
|
||||
@ -24668,7 +24739,7 @@ index 64268e4..1acd149 100644
|
||||
dev_read_sysfs(system_mail_t)
|
||||
dev_read_rand(system_mail_t)
|
||||
dev_read_urand(system_mail_t)
|
||||
@@ -82,6 +69,10 @@ init_use_script_ptys(system_mail_t)
|
||||
@@ -82,6 +71,10 @@ init_use_script_ptys(system_mail_t)
|
||||
|
||||
userdom_use_user_terminals(system_mail_t)
|
||||
userdom_dontaudit_search_user_home_dirs(system_mail_t)
|
||||
@ -24679,7 +24750,7 @@ index 64268e4..1acd149 100644
|
||||
|
||||
optional_policy(`
|
||||
apache_read_squirrelmail_data(system_mail_t)
|
||||
@@ -92,17 +83,28 @@ optional_policy(`
|
||||
@@ -92,17 +85,28 @@ optional_policy(`
|
||||
apache_dontaudit_rw_stream_sockets(system_mail_t)
|
||||
apache_dontaudit_rw_tcp_sockets(system_mail_t)
|
||||
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
|
||||
@ -24709,7 +24780,7 @@ index 64268e4..1acd149 100644
|
||||
clamav_stream_connect(system_mail_t)
|
||||
clamav_append_log(system_mail_t)
|
||||
')
|
||||
@@ -111,6 +113,8 @@ optional_policy(`
|
||||
@@ -111,6 +115,8 @@ optional_policy(`
|
||||
cron_read_system_job_tmp_files(system_mail_t)
|
||||
cron_dontaudit_write_pipes(system_mail_t)
|
||||
cron_rw_system_job_stream_sockets(system_mail_t)
|
||||
@ -24718,7 +24789,7 @@ index 64268e4..1acd149 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -124,12 +128,8 @@ optional_policy(`
|
||||
@@ -124,12 +130,8 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24732,7 +24803,7 @@ index 64268e4..1acd149 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -146,6 +146,10 @@ optional_policy(`
|
||||
@@ -146,6 +148,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24743,7 +24814,7 @@ index 64268e4..1acd149 100644
|
||||
nagios_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -158,18 +162,6 @@ optional_policy(`
|
||||
@@ -158,18 +164,6 @@ optional_policy(`
|
||||
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
|
||||
|
||||
domain_use_interactive_fds(system_mail_t)
|
||||
@ -24762,7 +24833,7 @@ index 64268e4..1acd149 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -189,6 +181,10 @@ optional_policy(`
|
||||
@@ -189,6 +183,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -24773,7 +24844,7 @@ index 64268e4..1acd149 100644
|
||||
smartmon_read_tmp_files(system_mail_t)
|
||||
')
|
||||
|
||||
@@ -199,7 +195,7 @@ optional_policy(`
|
||||
@@ -199,7 +197,7 @@ optional_policy(`
|
||||
arpwatch_search_data(mailserver_delivery)
|
||||
arpwatch_manage_tmp_files(mta_user_agent)
|
||||
|
||||
@ -24782,7 +24853,7 @@ index 64268e4..1acd149 100644
|
||||
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
|
||||
')
|
||||
|
||||
@@ -220,7 +216,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
@@ -220,7 +218,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
||||
|
||||
@ -24792,7 +24863,7 @@ index 64268e4..1acd149 100644
|
||||
|
||||
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
|
||||
|
||||
@@ -249,11 +246,16 @@ optional_policy(`
|
||||
@@ -249,11 +248,16 @@ optional_policy(`
|
||||
mailman_read_data_symlinks(mailserver_delivery)
|
||||
')
|
||||
|
||||
@ -24809,7 +24880,7 @@ index 64268e4..1acd149 100644
|
||||
domain_use_interactive_fds(user_mail_t)
|
||||
|
||||
userdom_use_user_terminals(user_mail_t)
|
||||
@@ -292,3 +294,44 @@ optional_policy(`
|
||||
@@ -292,3 +296,44 @@ optional_policy(`
|
||||
postfix_read_config(user_mail_t)
|
||||
postfix_list_spool(user_mail_t)
|
||||
')
|
||||
@ -24955,7 +25026,7 @@ index c358d8f..92c9dca 100644
|
||||
|
||||
allow $1 munin_t:process { ptrace signal_perms };
|
||||
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
|
||||
index f17583b..6f8b0fd 100644
|
||||
index f17583b..0dc6344 100644
|
||||
--- a/policy/modules/services/munin.te
|
||||
+++ b/policy/modules/services/munin.te
|
||||
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
|
||||
@ -25105,7 +25176,7 @@ index f17583b..6f8b0fd 100644
|
||||
dev_read_sysfs(system_munin_plugin_t)
|
||||
dev_read_urand(system_munin_plugin_t)
|
||||
|
||||
@@ -313,3 +317,29 @@ init_read_utmp(system_munin_plugin_t)
|
||||
@@ -313,3 +317,30 @@ init_read_utmp(system_munin_plugin_t)
|
||||
sysnet_exec_ifconfig(system_munin_plugin_t)
|
||||
|
||||
term_getattr_unallocated_ttys(system_munin_plugin_t)
|
||||
@ -25129,6 +25200,7 @@ index f17583b..6f8b0fd 100644
|
||||
+corecmd_exec_bin(munin_plugin_domain)
|
||||
+corecmd_exec_shell(munin_plugin_domain)
|
||||
+
|
||||
+files_search_var_lib(munin_plugin_domain)
|
||||
+files_read_etc_files(munin_plugin_domain)
|
||||
+files_read_usr_files(munin_plugin_domain)
|
||||
+
|
||||
@ -25189,7 +25261,7 @@ index e9c0982..4d3b208 100644
|
||||
admin_pattern($1, mysqld_tmp_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
|
||||
index 0a0d63c..086df22 100644
|
||||
index 0a0d63c..d02b476 100644
|
||||
--- a/policy/modules/services/mysql.te
|
||||
+++ b/policy/modules/services/mysql.te
|
||||
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
|
||||
@ -25257,8 +25329,17 @@ index 0a0d63c..086df22 100644
|
||||
files_read_etc_files(mysqld_safe_t)
|
||||
files_read_usr_files(mysqld_safe_t)
|
||||
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
|
||||
@@ -183,6 +186,8 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
||||
|
||||
hostname_exec(mysqld_safe_t)
|
||||
|
||||
+logging_send_syslog_msg(mysqld_safe_t)
|
||||
+
|
||||
miscfiles_read_localization(mysqld_safe_t)
|
||||
|
||||
mysql_manage_db_files(mysqld_safe_t)
|
||||
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
|
||||
index 8581040..89e1edf 100644
|
||||
index 8581040..f54b3b8 100644
|
||||
--- a/policy/modules/services/nagios.if
|
||||
+++ b/policy/modules/services/nagios.if
|
||||
@@ -12,10 +12,8 @@
|
||||
@ -25281,7 +25362,16 @@ index 8581040..89e1edf 100644
|
||||
|
||||
# needed by command.cfg
|
||||
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
||||
@@ -49,7 +48,6 @@ template(`nagios_plugin_template',`
|
||||
@@ -36,6 +35,8 @@ template(`nagios_plugin_template',`
|
||||
dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
|
||||
dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
|
||||
|
||||
+ files_read_usr_files(nagios_$1_plugin_t)
|
||||
+
|
||||
miscfiles_read_localization(nagios_$1_plugin_t)
|
||||
')
|
||||
|
||||
@@ -49,7 +50,6 @@ template(`nagios_plugin_template',`
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -25289,7 +25379,7 @@ index 8581040..89e1edf 100644
|
||||
#
|
||||
interface(`nagios_dontaudit_rw_pipes',`
|
||||
gen_require(`
|
||||
@@ -159,6 +157,26 @@ interface(`nagios_read_tmp_files',`
|
||||
@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -25316,7 +25406,7 @@ index 8581040..89e1edf 100644
|
||||
## Execute the nagios NRPE with
|
||||
## a domain transition.
|
||||
## </summary>
|
||||
@@ -195,11 +213,9 @@ interface(`nagios_domtrans_nrpe',`
|
||||
@@ -195,11 +215,9 @@ interface(`nagios_domtrans_nrpe',`
|
||||
#
|
||||
interface(`nagios_admin',`
|
||||
gen_require(`
|
||||
@ -25537,7 +25627,7 @@ index 2324d9e..8069487 100644
|
||||
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
|
||||
index 0619395..4898ef8 100644
|
||||
index 0619395..5428249 100644
|
||||
--- a/policy/modules/services/networkmanager.te
|
||||
+++ b/policy/modules/services/networkmanager.te
|
||||
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||
@ -25640,10 +25730,14 @@ index 0619395..4898ef8 100644
|
||||
optional_policy(`
|
||||
consolekit_dbus_chat(NetworkManager_t)
|
||||
')
|
||||
@@ -202,6 +230,13 @@ optional_policy(`
|
||||
@@ -202,6 +230,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ gnome_dontaudit_search_config(NetworkManager_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ ipsec_domtrans_mgmt(NetworkManager_t)
|
||||
+ ipsec_kill_mgmt(NetworkManager_t)
|
||||
+ ipsec_signal_mgmt(NetworkManager_t)
|
||||
@ -25654,7 +25748,7 @@ index 0619395..4898ef8 100644
|
||||
iptables_domtrans(NetworkManager_t)
|
||||
')
|
||||
|
||||
@@ -219,6 +254,7 @@ optional_policy(`
|
||||
@@ -219,6 +258,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25662,7 +25756,7 @@ index 0619395..4898ef8 100644
|
||||
openvpn_domtrans(NetworkManager_t)
|
||||
openvpn_kill(NetworkManager_t)
|
||||
openvpn_signal(NetworkManager_t)
|
||||
@@ -263,6 +299,7 @@ optional_policy(`
|
||||
@@ -263,6 +303,7 @@ optional_policy(`
|
||||
vpn_kill(NetworkManager_t)
|
||||
vpn_signal(NetworkManager_t)
|
||||
vpn_signull(NetworkManager_t)
|
||||
@ -32577,10 +32671,15 @@ index e30bb63..6e627d6 100644
|
||||
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
|
||||
index f1aea88..c3ffa9d 100644
|
||||
index f1aea88..a5a75a8 100644
|
||||
--- a/policy/modules/services/sasl.if
|
||||
+++ b/policy/modules/services/sasl.if
|
||||
@@ -42,7 +42,7 @@ interface(`sasl_admin',`
|
||||
@@ -38,11 +38,11 @@ interface(`sasl_connect',`
|
||||
#
|
||||
interface(`sasl_admin',`
|
||||
gen_require(`
|
||||
- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
|
||||
+ type saslauthd_t, saslauthd_var_run_t;
|
||||
type saslauthd_initrc_exec_t;
|
||||
')
|
||||
|
||||
@ -32589,6 +32688,16 @@ index f1aea88..c3ffa9d 100644
|
||||
ps_process_pattern($1, saslauthd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
|
||||
@@ -50,9 +50,6 @@ interface(`sasl_admin',`
|
||||
role_transition $2 saslauthd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
- files_list_tmp($1)
|
||||
- admin_pattern($1, saslauthd_tmp_t)
|
||||
-
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, saslauthd_var_run_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
|
||||
index 22184ad..d87a3f0 100644
|
||||
--- a/policy/modules/services/sasl.te
|
||||
@ -39095,10 +39204,10 @@ index 0000000..56cb5af
|
||||
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
|
||||
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
|
||||
new file mode 100644
|
||||
index 0000000..4f2dde8
|
||||
index 0000000..8a909f5
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/services/zarafa.if
|
||||
@@ -0,0 +1,102 @@
|
||||
@@ -0,0 +1,122 @@
|
||||
+## <summary>policy for zarafa services</summary>
|
||||
+
|
||||
+######################################
|
||||
@ -39201,6 +39310,26 @@ index 0000000..4f2dde8
|
||||
+ files_search_var_lib($1)
|
||||
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
|
||||
+')
|
||||
+
|
||||
+######################################
|
||||
+## <summary>
|
||||
+## Allow the specified domain to search
|
||||
+## zarafa configuration dirs.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`zarafa_search_config',`
|
||||
+ gen_require(`
|
||||
+ type zarafa_etc_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_etc($1)
|
||||
+ allow $1 zarafa_etc_t:dir search_dir_perms;
|
||||
+')
|
||||
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
|
||||
new file mode 100644
|
||||
index 0000000..3ce4d86
|
||||
@ -43010,15 +43139,17 @@ index 72c746e..e3d06fd 100644
|
||||
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
|
||||
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
|
||||
index 8b5c196..3490497 100644
|
||||
index 8b5c196..b195f9d 100644
|
||||
--- a/policy/modules/system/mount.if
|
||||
+++ b/policy/modules/system/mount.if
|
||||
@@ -16,6 +16,14 @@ interface(`mount_domtrans',`
|
||||
@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
|
||||
')
|
||||
|
||||
domtrans_pattern($1, mount_exec_t, mount_t)
|
||||
+ mount_domtrans_fusermount($1)
|
||||
+
|
||||
+ ps_process_pattern(mount_t, $1)
|
||||
+
|
||||
+ifdef(`hide_broken_symptoms', `
|
||||
+ dontaudit mount_t $1:unix_stream_socket { read write };
|
||||
+ dontaudit mount_t $1:tcp_socket { read write };
|
||||
@ -43028,7 +43159,7 @@ index 8b5c196..3490497 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -45,12 +53,58 @@ interface(`mount_run',`
|
||||
@@ -45,12 +55,58 @@ interface(`mount_run',`
|
||||
role $2 types mount_t;
|
||||
|
||||
optional_policy(`
|
||||
@ -43088,7 +43219,7 @@ index 8b5c196..3490497 100644
|
||||
## Execute mount in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -84,9 +138,11 @@ interface(`mount_exec',`
|
||||
@@ -84,9 +140,11 @@ interface(`mount_exec',`
|
||||
interface(`mount_signal',`
|
||||
gen_require(`
|
||||
type mount_t;
|
||||
@ -43100,7 +43231,7 @@ index 8b5c196..3490497 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -95,7 +151,7 @@ interface(`mount_signal',`
|
||||
@@ -95,7 +153,7 @@ interface(`mount_signal',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -43109,7 +43240,7 @@ index 8b5c196..3490497 100644
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -176,4 +232,109 @@ interface(`mount_run_unconfined',`
|
||||
@@ -176,4 +234,109 @@ interface(`mount_run_unconfined',`
|
||||
|
||||
mount_domtrans_unconfined($1)
|
||||
role $2 types unconfined_mount_t;
|
||||
|
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.8
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -471,6 +471,16 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Nov 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-7
|
||||
- Allow nagios plugins to read usr files
|
||||
- Allow mysqld-safe to send system log messages
|
||||
- Fixes fpr ddclient policy
|
||||
- Fix sasl_admin interface
|
||||
- Allow apache to search zarafa config
|
||||
- Allow munin plugins to search /var/lib directory
|
||||
- Allow gpsd to read sysfs_t
|
||||
- Fix labels on /etc/mcelog/triggers to bin_t
|
||||
|
||||
* Fri Nov 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-6
|
||||
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
|
||||
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp
|
||||
|
Loading…
Reference in New Issue
Block a user