- Allow nagios plugins to read usr files

- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
This commit is contained in:
Miroslav Grepl 2010-11-15 18:27:23 +01:00
parent 763342ad3a
commit cbb8d59931
2 changed files with 213 additions and 72 deletions

View File

@ -3957,7 +3957,7 @@ index 9a6d67d..b0c1197 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index cbf4bec..9024e9a 100644
index cbf4bec..62796d8 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@ -4030,7 +4030,7 @@ index cbf4bec..9024e9a 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
@@ -266,3 +291,128 @@ optional_policy(`
@@ -266,3 +291,129 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@ -4101,6 +4101,7 @@ index cbf4bec..9024e9a 100644
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
@ -7385,10 +7386,21 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 34c9d01..94ec653 100644
index 34c9d01..4842e56 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -128,8 +130,8 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@ -7398,7 +7410,7 @@ index 34c9d01..94ec653 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -307,6 +307,7 @@ ifdef(`distro_redhat', `
@@ -307,6 +309,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@ -13273,7 +13285,7 @@ index 9e39aa5..3bfac20 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index c9e1a44..ef353c7 100644
index c9e1a44..1a1ba36 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@ -13541,7 +13553,7 @@ index c9e1a44..ef353c7 100644
## Apache cache.
## </summary>
## <param name="domain">
@@ -544,6 +580,27 @@ interface(`apache_delete_cache_files',`
@@ -544,6 +580,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@ -13553,7 +13565,6 @@ index c9e1a44..ef353c7 100644
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_search_config',`
+ gen_require(`
@ -13569,7 +13580,7 @@ index c9e1a44..ef353c7 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
@@ -694,7 +751,7 @@ interface(`apache_dontaudit_append_log',`
@@ -694,7 +750,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@ -13578,7 +13589,7 @@ index c9e1a44..ef353c7 100644
')
########################################
@@ -740,6 +797,25 @@ interface(`apache_dontaudit_search_modules',`
@@ -740,6 +796,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@ -13604,7 +13615,7 @@ index c9e1a44..ef353c7 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
@@ -756,6 +832,7 @@ interface(`apache_list_modules',`
@@ -756,6 +831,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@ -13612,7 +13623,7 @@ index c9e1a44..ef353c7 100644
')
########################################
@@ -814,6 +891,7 @@ interface(`apache_list_sys_content',`
@@ -814,6 +890,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@ -13620,7 +13631,7 @@ index c9e1a44..ef353c7 100644
files_search_var($1)
')
@@ -841,6 +919,74 @@ interface(`apache_manage_sys_content',`
@@ -841,6 +918,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@ -13695,7 +13706,7 @@ index c9e1a44..ef353c7 100644
########################################
## <summary>
## Execute all web scripts in the system
@@ -857,7 +1003,11 @@ interface(`apache_manage_sys_content',`
@@ -857,7 +1002,11 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@ -13708,7 +13719,7 @@ index c9e1a44..ef353c7 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -916,9 +1066,10 @@ interface(`apache_domtrans_all_scripts',`
@@ -916,9 +1065,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@ -13720,7 +13731,7 @@ index c9e1a44..ef353c7 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
@@ -945,7 +1096,7 @@ interface(`apache_read_squirrelmail_data',`
@@ -945,7 +1095,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@ -13729,7 +13740,7 @@ index c9e1a44..ef353c7 100644
')
########################################
@@ -1086,6 +1237,25 @@ interface(`apache_read_tmp_files',`
@@ -1086,6 +1236,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@ -13755,7 +13766,7 @@ index c9e1a44..ef353c7 100644
########################################
## <summary>
## Dontaudit attempts to write
@@ -1102,7 +1272,7 @@ interface(`apache_dontaudit_write_tmp_files',`
@@ -1102,7 +1271,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@ -13764,7 +13775,7 @@ index c9e1a44..ef353c7 100644
')
########################################
@@ -1165,17 +1335,14 @@ interface(`apache_cgi_domain',`
@@ -1165,17 +1334,14 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@ -13786,7 +13797,7 @@ index c9e1a44..ef353c7 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
@@ -1186,10 +1353,10 @@ interface(`apache_admin',`
@@ -1186,10 +1352,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@ -13799,7 +13810,7 @@ index c9e1a44..ef353c7 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1200,14 +1367,43 @@ interface(`apache_admin',`
@@ -1200,14 +1366,43 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@ -13849,7 +13860,7 @@ index c9e1a44..ef353c7 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 08dfa0c..973fdf0 100644
index 08dfa0c..84e9bea 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@ -14453,18 +14464,19 @@ index 08dfa0c..973fdf0 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -603,6 +800,10 @@ optional_policy(`
@@ -603,6 +800,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
+ zarafa_stream_connect_server(httpd_t)
+ zarafa_search_config(httpd_t)
+')
+
########################################
#
# Apache helper local policy
@@ -618,6 +819,10 @@ logging_send_syslog_msg(httpd_helper_t)
@@ -618,6 +820,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@ -14475,7 +14487,7 @@ index 08dfa0c..973fdf0 100644
########################################
#
# Apache PHP script local policy
@@ -654,28 +859,27 @@ libs_exec_lib_files(httpd_php_t)
@@ -654,28 +860,27 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@ -14516,7 +14528,7 @@ index 08dfa0c..973fdf0 100644
')
########################################
@@ -699,17 +903,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
@@ -699,17 +904,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -14542,7 +14554,7 @@ index 08dfa0c..973fdf0 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -740,10 +949,20 @@ tunable_policy(`httpd_can_network_connect',`
@@ -740,10 +950,20 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@ -14564,7 +14576,7 @@ index 08dfa0c..973fdf0 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -769,6 +988,25 @@ optional_policy(`
@@ -769,6 +989,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@ -14590,7 +14602,7 @@ index 08dfa0c..973fdf0 100644
########################################
#
# Apache system script local policy
@@ -792,9 +1030,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -792,9 +1031,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@ -14604,7 +14616,7 @@ index 08dfa0c..973fdf0 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
@@ -803,6 +1045,33 @@ tunable_policy(`httpd_can_sendmail',`
@@ -803,6 +1046,33 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@ -14638,7 +14650,7 @@ index 08dfa0c..973fdf0 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -822,7 +1091,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -822,7 +1092,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@ -14647,7 +14659,7 @@ index 08dfa0c..973fdf0 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -830,6 +1099,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -830,6 +1100,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@ -14668,7 +14680,7 @@ index 08dfa0c..973fdf0 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -842,10 +1125,20 @@ optional_policy(`
@@ -842,10 +1126,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@ -14689,7 +14701,7 @@ index 08dfa0c..973fdf0 100644
')
########################################
@@ -891,11 +1184,21 @@ optional_policy(`
@@ -891,11 +1185,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@ -18812,6 +18824,55 @@ index 0a1a61b..da508f4 100644
')
allow $1 ddclient_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 24ba98a..0910356 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
type ddclient_log_t;
logging_log_file(ddclient_log_t)
+type ddclient_tmp_t;
+files_tmp_file(ddclient_tmp_t)
+
type ddclient_var_t;
files_type(ddclient_var_t)
@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
allow ddclient_t self:tcp_socket create_socket_perms;
allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
allow ddclient_t ddclient_etc_t:file read_file_perms;
allow ddclient_t ddclient_log_t:file manage_file_perms;
logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, { file })
+
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_bind_generic_node(ddclient_t)
+corenet_udp_bind_generic_node(ddclient_t)
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
+mta_send_mail(ddclient_t)
+
logging_send_syslog_msg(ddclient_t)
miscfiles_read_localization(ddclient_t)
diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
index 567865f..9c9e65c 100644
--- a/policy/modules/services/denyhosts.if
@ -21686,10 +21747,19 @@ index a627b34..c899c61 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
index 03742d8..7b9c543 100644
index 03742d8..2a87d1e 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -56,6 +56,10 @@ logging_send_syslog_msg(gpsd_t)
@@ -46,6 +46,8 @@ corenet_tcp_sendrecv_all_ports(gpsd_t)
corenet_tcp_bind_all_nodes(gpsd_t)
corenet_tcp_bind_gpsd_port(gpsd_t)
+dev_read_sysfs(gpsd_t)
+
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
@@ -56,6 +58,10 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
@ -24631,7 +24701,7 @@ index 343cee3..2f948ad 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 64268e4..1acd149 100644
index 64268e4..6543734 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@ -24645,13 +24715,14 @@ index 64268e4..1acd149 100644
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t)
@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
@ -24668,7 +24739,7 @@ index 64268e4..1acd149 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
@@ -82,6 +69,10 @@ init_use_script_ptys(system_mail_t)
@@ -82,6 +71,10 @@ init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@ -24679,7 +24750,7 @@ index 64268e4..1acd149 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
@@ -92,17 +83,28 @@ optional_policy(`
@@ -92,17 +85,28 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@ -24709,7 +24780,7 @@ index 64268e4..1acd149 100644
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
@@ -111,6 +113,8 @@ optional_policy(`
@@ -111,6 +115,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@ -24718,7 +24789,7 @@ index 64268e4..1acd149 100644
')
optional_policy(`
@@ -124,12 +128,8 @@ optional_policy(`
@@ -124,12 +130,8 @@ optional_policy(`
')
optional_policy(`
@ -24732,7 +24803,7 @@ index 64268e4..1acd149 100644
')
optional_policy(`
@@ -146,6 +146,10 @@ optional_policy(`
@@ -146,6 +148,10 @@ optional_policy(`
')
optional_policy(`
@ -24743,7 +24814,7 @@ index 64268e4..1acd149 100644
nagios_read_tmp_files(system_mail_t)
')
@@ -158,18 +162,6 @@ optional_policy(`
@@ -158,18 +164,6 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@ -24762,7 +24833,7 @@ index 64268e4..1acd149 100644
')
optional_policy(`
@@ -189,6 +181,10 @@ optional_policy(`
@@ -189,6 +183,10 @@ optional_policy(`
')
optional_policy(`
@ -24773,7 +24844,7 @@ index 64268e4..1acd149 100644
smartmon_read_tmp_files(system_mail_t)
')
@@ -199,7 +195,7 @@ optional_policy(`
@@ -199,7 +197,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@ -24782,7 +24853,7 @@ index 64268e4..1acd149 100644
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
@@ -220,7 +216,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -220,7 +218,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@ -24792,7 +24863,7 @@ index 64268e4..1acd149 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
@@ -249,11 +246,16 @@ optional_policy(`
@@ -249,11 +248,16 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@ -24809,7 +24880,7 @@ index 64268e4..1acd149 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
@@ -292,3 +294,44 @@ optional_policy(`
@@ -292,3 +296,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@ -24955,7 +25026,7 @@ index c358d8f..92c9dca 100644
allow $1 munin_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index f17583b..6f8b0fd 100644
index f17583b..0dc6344 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@ -25105,7 +25176,7 @@ index f17583b..6f8b0fd 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
@@ -313,3 +317,29 @@ init_read_utmp(system_munin_plugin_t)
@@ -313,3 +317,30 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@ -25129,6 +25200,7 @@ index f17583b..6f8b0fd 100644
+corecmd_exec_bin(munin_plugin_domain)
+corecmd_exec_shell(munin_plugin_domain)
+
+files_search_var_lib(munin_plugin_domain)
+files_read_etc_files(munin_plugin_domain)
+files_read_usr_files(munin_plugin_domain)
+
@ -25189,7 +25261,7 @@ index e9c0982..4d3b208 100644
admin_pattern($1, mysqld_tmp_t)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 0a0d63c..086df22 100644
index 0a0d63c..d02b476 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@ -25257,8 +25329,17 @@ index 0a0d63c..086df22 100644
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
@@ -183,6 +186,8 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
hostname_exec(mysqld_safe_t)
+logging_send_syslog_msg(mysqld_safe_t)
+
miscfiles_read_localization(mysqld_safe_t)
mysql_manage_db_files(mysqld_safe_t)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 8581040..89e1edf 100644
index 8581040..f54b3b8 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -12,10 +12,8 @@
@ -25281,7 +25362,16 @@ index 8581040..89e1edf 100644
# needed by command.cfg
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
@@ -49,7 +48,6 @@ template(`nagios_plugin_template',`
@@ -36,6 +35,8 @@ template(`nagios_plugin_template',`
dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+ files_read_usr_files(nagios_$1_plugin_t)
+
miscfiles_read_localization(nagios_$1_plugin_t)
')
@@ -49,7 +50,6 @@ template(`nagios_plugin_template',`
## Domain to not audit.
## </summary>
## </param>
@ -25289,7 +25379,7 @@ index 8581040..89e1edf 100644
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
@@ -159,6 +157,26 @@ interface(`nagios_read_tmp_files',`
@@ -159,6 +159,26 @@ interface(`nagios_read_tmp_files',`
########################################
## <summary>
@ -25316,7 +25406,7 @@ index 8581040..89e1edf 100644
## Execute the nagios NRPE with
## a domain transition.
## </summary>
@@ -195,11 +213,9 @@ interface(`nagios_domtrans_nrpe',`
@@ -195,11 +215,9 @@ interface(`nagios_domtrans_nrpe',`
#
interface(`nagios_admin',`
gen_require(`
@ -25537,7 +25627,7 @@ index 2324d9e..8069487 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 0619395..4898ef8 100644
index 0619395..5428249 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@ -25640,10 +25730,14 @@ index 0619395..4898ef8 100644
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
')
@@ -202,6 +230,13 @@ optional_policy(`
@@ -202,6 +230,17 @@ optional_policy(`
')
optional_policy(`
+ gnome_dontaudit_search_config(NetworkManager_t)
+')
+
+optional_policy(`
+ ipsec_domtrans_mgmt(NetworkManager_t)
+ ipsec_kill_mgmt(NetworkManager_t)
+ ipsec_signal_mgmt(NetworkManager_t)
@ -25654,7 +25748,7 @@ index 0619395..4898ef8 100644
iptables_domtrans(NetworkManager_t)
')
@@ -219,6 +254,7 @@ optional_policy(`
@@ -219,6 +258,7 @@ optional_policy(`
')
optional_policy(`
@ -25662,7 +25756,7 @@ index 0619395..4898ef8 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
@@ -263,6 +299,7 @@ optional_policy(`
@@ -263,6 +303,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@ -32577,10 +32671,15 @@ index e30bb63..6e627d6 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index f1aea88..c3ffa9d 100644
index f1aea88..a5a75a8 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -42,7 +42,7 @@ interface(`sasl_admin',`
@@ -38,11 +38,11 @@ interface(`sasl_connect',`
#
interface(`sasl_admin',`
gen_require(`
- type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+ type saslauthd_t, saslauthd_var_run_t;
type saslauthd_initrc_exec_t;
')
@ -32589,6 +32688,16 @@ index f1aea88..c3ffa9d 100644
ps_process_pattern($1, saslauthd_t)
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
@@ -50,9 +50,6 @@ interface(`sasl_admin',`
role_transition $2 saslauthd_initrc_exec_t system_r;
allow $2 system_r;
- files_list_tmp($1)
- admin_pattern($1, saslauthd_tmp_t)
-
files_list_pids($1)
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 22184ad..d87a3f0 100644
--- a/policy/modules/services/sasl.te
@ -39095,10 +39204,10 @@ index 0000000..56cb5af
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644
index 0000000..4f2dde8
index 0000000..8a909f5
--- /dev/null
+++ b/policy/modules/services/zarafa.if
@@ -0,0 +1,102 @@
@@ -0,0 +1,122 @@
+## <summary>policy for zarafa services</summary>
+
+######################################
@ -39201,6 +39310,26 @@ index 0000000..4f2dde8
+ files_search_var_lib($1)
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to search
+## zarafa configuration dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zarafa_search_config',`
+ gen_require(`
+ type zarafa_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 zarafa_etc_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
index 0000000..3ce4d86
@ -43010,14 +43139,16 @@ index 72c746e..e3d06fd 100644
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8b5c196..3490497 100644
index 8b5c196..b195f9d 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,14 @@ interface(`mount_domtrans',`
@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
')
domtrans_pattern($1, mount_exec_t, mount_t)
+ mount_domtrans_fusermount($1)
+
+ ps_process_pattern(mount_t, $1)
+
+ifdef(`hide_broken_symptoms', `
+ dontaudit mount_t $1:unix_stream_socket { read write };
@ -43028,7 +43159,7 @@ index 8b5c196..3490497 100644
')
########################################
@@ -45,12 +53,58 @@ interface(`mount_run',`
@@ -45,12 +55,58 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@ -43088,7 +43219,7 @@ index 8b5c196..3490497 100644
## Execute mount in the caller domain.
## </summary>
## <param name="domain">
@@ -84,9 +138,11 @@ interface(`mount_exec',`
@@ -84,9 +140,11 @@ interface(`mount_exec',`
interface(`mount_signal',`
gen_require(`
type mount_t;
@ -43100,7 +43231,7 @@ index 8b5c196..3490497 100644
')
########################################
@@ -95,7 +151,7 @@ interface(`mount_signal',`
@@ -95,7 +153,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@ -43109,7 +43240,7 @@ index 8b5c196..3490497 100644
## </summary>
## </param>
#
@@ -176,4 +232,109 @@ interface(`mount_run_unconfined',`
@@ -176,4 +234,109 @@ interface(`mount_run_unconfined',`
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;

View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.8
Release: 6%{?dist}
Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -471,6 +471,16 @@ exit 0
%endif
%changelog
* Mon Nov 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.8-7
- Allow nagios plugins to read usr files
- Allow mysqld-safe to send system log messages
- Fixes fpr ddclient policy
- Fix sasl_admin interface
- Allow apache to search zarafa config
- Allow munin plugins to search /var/lib directory
- Allow gpsd to read sysfs_t
- Fix labels on /etc/mcelog/triggers to bin_t
* Fri Nov 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-6
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
- Allow saslauthd_t to create krb5_host_rcache_t files in /tmp