* Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134

- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
This commit is contained in:
Lukas Vrabec 2015-07-02 17:37:26 +02:00
parent 1428c0c5e6
commit d04212cd26
3 changed files with 283 additions and 156 deletions

View File

@ -14445,7 +14445,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>> /var/run/shm/.* <<none>>
-') -')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..19d6aba 100644 index 8416beb..d7111b8 100644
--- a/policy/modules/kernel/filesystem.if --- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -14683,7 +14683,7 @@ index 8416beb..19d6aba 100644
') ')
######################################## ########################################
@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',` @@ -1542,6 +1666,44 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2) domain_auto_transition_pattern($1, cifs_t, $2)
') ')
@ -14705,11 +14705,30 @@ index 8416beb..19d6aba 100644
+ +
+ domain_entry_file($1, cifs_t) + domain_entry_file($1, cifs_t)
+') +')
+
+########################################
+## <summary>
+## Make general progams in CIFS an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which cifs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_cifs_entrypoint',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:file entrypoint;
+')
+ +
####################################### #######################################
## <summary> ## <summary>
## Create, read, write, and delete dirs ## Create, read, write, and delete dirs
@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',` @@ -1582,6 +1744,24 @@ interface(`fs_manage_configfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -14734,7 +14753,7 @@ index 8416beb..19d6aba 100644
## Mount a DOS filesystem, such as ## Mount a DOS filesystem, such as
## FAT32 or NTFS. ## FAT32 or NTFS.
## </summary> ## </summary>
@@ -1793,63 +1954,70 @@ interface(`fs_read_eventpollfs',` @@ -1793,63 +1973,70 @@ interface(`fs_read_eventpollfs',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
@ -14830,7 +14849,7 @@ index 8416beb..19d6aba 100644
## on a FUSEFS filesystem. ## on a FUSEFS filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1859,18 +2027,19 @@ interface(`fs_mounton_fusefs',` @@ -1859,18 +2046,19 @@ interface(`fs_mounton_fusefs',`
## </param> ## </param>
## <rolecap/> ## <rolecap/>
# #
@ -14855,7 +14874,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1878,135 +2047,151 @@ interface(`fs_search_fusefs',` @@ -1878,135 +2066,151 @@ interface(`fs_search_fusefs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15050,7 +15069,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2014,41 +2199,297 @@ interface(`fs_dontaudit_manage_fusefs_files',` @@ -2014,19 +2218,313 @@ interface(`fs_dontaudit_manage_fusefs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15071,34 +15090,29 @@ index 8416beb..19d6aba 100644
-## filesystem. -## filesystem.
+## Search directories +## Search directories
+## on a FUSEFS filesystem. +## on a FUSEFS filesystem.
## </summary> +## </summary>
## <param name="domain"> +## <param name="domain">
## <summary> +## <summary>
## Domain allowed access. +## Domain allowed access.
## </summary> +## </summary>
## </param> +## </param>
+## <rolecap/> +## <rolecap/>
# +#
-interface(`fs_getattr_hugetlbfs',`
+interface(`fs_search_fusefs',` +interface(`fs_search_fusefs',`
gen_require(` + gen_require(`
- type hugetlbfs_t;
+ type fusefs_t; + type fusefs_t;
') + ')
+
- allow $1 hugetlbfs_t:filesystem getattr;
+ allow $1 fusefs_t:dir search_dir_perms; + allow $1 fusefs_t:dir search_dir_perms;
') +')
+
######################################## +########################################
## <summary> +## <summary>
-## List hugetlbfs.
+## Do not audit attempts to list the contents +## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem. +## of directories on a FUSEFS filesystem.
## </summary> +## </summary>
## <param name="domain"> +## <param name="domain">
## <summary> +## <summary>
-## Domain allowed access.
+## Domain to not audit. +## Domain to not audit.
+## </summary> +## </summary>
+## </param> +## </param>
@ -15191,6 +15205,44 @@ index 8416beb..19d6aba 100644
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which fusefs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_fusefs_entry_type',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ domain_entry_file($1, fusefs_t)
+')
+
+########################################
+## <summary>
+## Make general progams in FUSEFS an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which fusefs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_fusefs_entrypoint',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:file entrypoint;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files +## Create, read, write, and delete files
+## on a FUSEFS filesystem. +## on a FUSEFS filesystem.
+## </summary> +## </summary>
@ -15333,32 +15385,10 @@ index 8416beb..19d6aba 100644
+## <summary> +## <summary>
+## Get the attributes of an hugetlbfs +## Get the attributes of an hugetlbfs
+## filesystem. +## filesystem.
+## </summary> ## </summary>
+## <param name="domain"> ## <param name="domain">
+## <summary> ## <summary>
+## Domain allowed access. @@ -2080,6 +2578,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+## </summary>
+## </param>
+#
+interface(`fs_getattr_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $1 hugetlbfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## List hugetlbfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
#
@@ -2080,6 +2521,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -15383,7 +15413,7 @@ index 8416beb..19d6aba 100644
## Read and write hugetlbfs files. ## Read and write hugetlbfs files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2098,6 +2557,25 @@ interface(`fs_rw_hugetlbfs_files',` @@ -2098,6 +2614,25 @@ interface(`fs_rw_hugetlbfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -15409,7 +15439,7 @@ index 8416beb..19d6aba 100644
## Allow the type to associate to hugetlbfs filesystems. ## Allow the type to associate to hugetlbfs filesystems.
## </summary> ## </summary>
## <param name="type"> ## <param name="type">
@@ -2148,11 +2626,12 @@ interface(`fs_list_inotifyfs',` @@ -2148,11 +2683,12 @@ interface(`fs_list_inotifyfs',`
') ')
allow $1 inotifyfs_t:dir list_dir_perms; allow $1 inotifyfs_t:dir list_dir_perms;
@ -15423,7 +15453,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2485,6 +2964,7 @@ interface(`fs_read_nfs_files',` @@ -2485,6 +3021,7 @@ interface(`fs_read_nfs_files',`
type nfs_t; type nfs_t;
') ')
@ -15431,7 +15461,7 @@ index 8416beb..19d6aba 100644
allow $1 nfs_t:dir list_dir_perms; allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t) read_files_pattern($1, nfs_t, nfs_t)
') ')
@@ -2523,6 +3003,7 @@ interface(`fs_write_nfs_files',` @@ -2523,6 +3060,7 @@ interface(`fs_write_nfs_files',`
type nfs_t; type nfs_t;
') ')
@ -15439,7 +15469,7 @@ index 8416beb..19d6aba 100644
allow $1 nfs_t:dir list_dir_perms; allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t) write_files_pattern($1, nfs_t, nfs_t)
') ')
@@ -2549,6 +3030,25 @@ interface(`fs_exec_nfs_files',` @@ -2549,6 +3087,44 @@ interface(`fs_exec_nfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -15461,11 +15491,30 @@ index 8416beb..19d6aba 100644
+') +')
+ +
+######################################## +########################################
+## <summary>
+## Make general progams in NFS an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which nfs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_nfs_entrypoint',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:file entrypoint;
+')
+
+########################################
+## <summary> +## <summary>
## Append files ## Append files
## on a NFS filesystem. ## on a NFS filesystem.
## </summary> ## </summary>
@@ -2569,7 +3069,7 @@ interface(`fs_append_nfs_files',` @@ -2569,7 +3145,7 @@ interface(`fs_append_nfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -15474,7 +15523,7 @@ index 8416beb..19d6aba 100644
## on a NFS filesystem. ## on a NFS filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2589,6 +3089,42 @@ interface(`fs_dontaudit_append_nfs_files',` @@ -2589,6 +3165,42 @@ interface(`fs_dontaudit_append_nfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -15517,7 +15566,7 @@ index 8416beb..19d6aba 100644
## Do not audit attempts to read or ## Do not audit attempts to read or
## write files on a NFS filesystem. ## write files on a NFS filesystem.
## </summary> ## </summary>
@@ -2603,7 +3139,7 @@ interface(`fs_dontaudit_rw_nfs_files',` @@ -2603,7 +3215,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t; type nfs_t;
') ')
@ -15526,7 +15575,7 @@ index 8416beb..19d6aba 100644
') ')
######################################## ########################################
@@ -2627,7 +3163,7 @@ interface(`fs_read_nfs_symlinks',` @@ -2627,7 +3239,7 @@ interface(`fs_read_nfs_symlinks',`
######################################## ########################################
## <summary> ## <summary>
@ -15535,7 +15584,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2719,6 +3255,47 @@ interface(`fs_search_rpc',` @@ -2719,6 +3331,47 @@ interface(`fs_search_rpc',`
######################################## ########################################
## <summary> ## <summary>
@ -15583,7 +15632,7 @@ index 8416beb..19d6aba 100644
## Search removable storage directories. ## Search removable storage directories.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2741,7 +3318,7 @@ interface(`fs_search_removable',` @@ -2741,7 +3394,7 @@ interface(`fs_search_removable',`
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -15592,7 +15641,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -2777,7 +3354,7 @@ interface(`fs_read_removable_files',` @@ -2777,7 +3430,7 @@ interface(`fs_read_removable_files',`
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -15601,7 +15650,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -2970,6 +3547,7 @@ interface(`fs_manage_nfs_dirs',` @@ -2970,6 +3623,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t; type nfs_t;
') ')
@ -15609,7 +15658,7 @@ index 8416beb..19d6aba 100644
allow $1 nfs_t:dir manage_dir_perms; allow $1 nfs_t:dir manage_dir_perms;
') ')
@@ -3010,6 +3588,7 @@ interface(`fs_manage_nfs_files',` @@ -3010,6 +3664,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t; type nfs_t;
') ')
@ -15617,7 +15666,7 @@ index 8416beb..19d6aba 100644
manage_files_pattern($1, nfs_t, nfs_t) manage_files_pattern($1, nfs_t, nfs_t)
') ')
@@ -3050,6 +3629,7 @@ interface(`fs_manage_nfs_symlinks',` @@ -3050,6 +3705,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t; type nfs_t;
') ')
@ -15625,7 +15674,7 @@ index 8416beb..19d6aba 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t) manage_lnk_files_pattern($1, nfs_t, nfs_t)
') ')
@@ -3137,6 +3717,24 @@ interface(`fs_nfs_domtrans',` @@ -3137,6 +3793,24 @@ interface(`fs_nfs_domtrans',`
######################################## ########################################
## <summary> ## <summary>
@ -15650,7 +15699,7 @@ index 8416beb..19d6aba 100644
## Mount a NFS server pseudo filesystem. ## Mount a NFS server pseudo filesystem.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3263,6 +3861,24 @@ interface(`fs_getattr_nfsd_files',` @@ -3263,6 +3937,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
') ')
@ -15675,7 +15724,7 @@ index 8416beb..19d6aba 100644
######################################## ########################################
## <summary> ## <summary>
## Read and write NFS server files. ## Read and write NFS server files.
@@ -3283,6 +3899,24 @@ interface(`fs_rw_nfsd_fs',` @@ -3283,6 +3975,24 @@ interface(`fs_rw_nfsd_fs',`
######################################## ########################################
## <summary> ## <summary>
@ -15700,7 +15749,7 @@ index 8416beb..19d6aba 100644
## Allow the type to associate to ramfs filesystems. ## Allow the type to associate to ramfs filesystems.
## </summary> ## </summary>
## <param name="type"> ## <param name="type">
@@ -3392,7 +4026,7 @@ interface(`fs_search_ramfs',` @@ -3392,7 +4102,7 @@ interface(`fs_search_ramfs',`
######################################## ########################################
## <summary> ## <summary>
@ -15709,7 +15758,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3429,7 +4063,7 @@ interface(`fs_manage_ramfs_dirs',` @@ -3429,7 +4139,7 @@ interface(`fs_manage_ramfs_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -15718,7 +15767,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3447,7 +4081,7 @@ interface(`fs_dontaudit_read_ramfs_files',` @@ -3447,7 +4157,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -15727,7 +15776,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3743,25 +4377,61 @@ interface(`fs_getattr_rpc_pipefs',` @@ -3743,25 +4453,61 @@ interface(`fs_getattr_rpc_pipefs',`
######################################### #########################################
## <summary> ## <summary>
@ -15795,7 +15844,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3769,17 +4439,17 @@ interface(`fs_rw_rpc_named_pipes',` @@ -3769,17 +4515,17 @@ interface(`fs_rw_rpc_named_pipes',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15816,7 +15865,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3787,17 +4457,17 @@ interface(`fs_mount_tmpfs',` @@ -3787,17 +4533,17 @@ interface(`fs_mount_tmpfs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15837,7 +15886,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3805,12 +4475,12 @@ interface(`fs_remount_tmpfs',` @@ -3805,12 +4551,12 @@ interface(`fs_remount_tmpfs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15852,7 +15901,7 @@ index 8416beb..19d6aba 100644
') ')
######################################## ########################################
@@ -3908,7 +4578,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` @@ -3908,7 +4654,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -15861,7 +15910,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3916,17 +4586,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` @@ -3916,17 +4662,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15882,7 +15931,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3934,17 +4604,17 @@ interface(`fs_mounton_tmpfs',` @@ -3934,17 +4680,17 @@ interface(`fs_mounton_tmpfs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15903,7 +15952,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3952,17 +4622,36 @@ interface(`fs_setattr_tmpfs_dirs',` @@ -3952,17 +4698,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15943,7 +15992,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3970,31 +4659,48 @@ interface(`fs_search_tmpfs',` @@ -3970,31 +4735,48 @@ interface(`fs_search_tmpfs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -15999,7 +16048,7 @@ index 8416beb..19d6aba 100644
') ')
######################################## ########################################
@@ -4105,7 +4811,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` @@ -4105,7 +4887,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t; type tmpfs_t;
') ')
@ -16008,7 +16057,7 @@ index 8416beb..19d6aba 100644
') ')
######################################## ########################################
@@ -4165,6 +4871,24 @@ interface(`fs_rw_tmpfs_files',` @@ -4165,6 +4947,24 @@ interface(`fs_rw_tmpfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -16033,7 +16082,7 @@ index 8416beb..19d6aba 100644
## Read tmpfs link files. ## Read tmpfs link files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4202,7 +4926,7 @@ interface(`fs_rw_tmpfs_chr_files',` @@ -4202,7 +5002,7 @@ interface(`fs_rw_tmpfs_chr_files',`
######################################## ########################################
## <summary> ## <summary>
@ -16042,7 +16091,7 @@ index 8416beb..19d6aba 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4221,6 +4945,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` @@ -4221,6 +5021,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
######################################## ########################################
## <summary> ## <summary>
@ -16103,7 +16152,7 @@ index 8416beb..19d6aba 100644
## Relabel character nodes on tmpfs filesystems. ## Relabel character nodes on tmpfs filesystems.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4278,6 +5056,44 @@ interface(`fs_relabel_tmpfs_blk_file',` @@ -4278,6 +5132,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
######################################## ########################################
## <summary> ## <summary>
@ -16148,7 +16197,7 @@ index 8416beb..19d6aba 100644
## Read and write, create and delete generic ## Read and write, create and delete generic
## files on tmpfs filesystems. ## files on tmpfs filesystems.
## </summary> ## </summary>
@@ -4297,6 +5113,25 @@ interface(`fs_manage_tmpfs_files',` @@ -4297,6 +5189,25 @@ interface(`fs_manage_tmpfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -16174,7 +16223,7 @@ index 8416beb..19d6aba 100644
## Read and write, create and delete symbolic ## Read and write, create and delete symbolic
## links on tmpfs filesystems. ## links on tmpfs filesystems.
## </summary> ## </summary>
@@ -4503,6 +5338,8 @@ interface(`fs_mount_all_fs',` @@ -4503,6 +5414,8 @@ interface(`fs_mount_all_fs',`
') ')
allow $1 filesystem_type:filesystem mount; allow $1 filesystem_type:filesystem mount;
@ -16183,7 +16232,7 @@ index 8416beb..19d6aba 100644
') ')
######################################## ########################################
@@ -4549,7 +5386,7 @@ interface(`fs_unmount_all_fs',` @@ -4549,7 +5462,7 @@ interface(`fs_unmount_all_fs',`
## <desc> ## <desc>
## <p> ## <p>
## Allow the specified domain to ## Allow the specified domain to
@ -16192,7 +16241,7 @@ index 8416beb..19d6aba 100644
## Example attributes: ## Example attributes:
## </p> ## </p>
## <ul> ## <ul>
@@ -4596,6 +5433,26 @@ interface(`fs_dontaudit_getattr_all_fs',` @@ -4596,6 +5509,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
######################################## ########################################
## <summary> ## <summary>
@ -16219,7 +16268,7 @@ index 8416beb..19d6aba 100644
## Get the quotas of all filesystems. ## Get the quotas of all filesystems.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4671,6 +5528,25 @@ interface(`fs_getattr_all_dirs',` @@ -4671,6 +5604,25 @@ interface(`fs_getattr_all_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -16245,7 +16294,7 @@ index 8416beb..19d6aba 100644
## Search all directories with a filesystem type. ## Search all directories with a filesystem type.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4912,3 +5788,43 @@ interface(`fs_unconfined',` @@ -4912,3 +5864,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type; typeattribute $1 filesystem_unconfined_type;
') ')
@ -33950,7 +33999,7 @@ index c42fbc3..277fe6c 100644
## <summary> ## <summary>
## Set the attributes of iptables config files. ## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e..231b21d 100644 index be8ed1e..750839c 100644
--- a/policy/modules/system/iptables.te --- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t; @@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@ -34071,7 +34120,7 @@ index be8ed1e..231b21d 100644
modutils_run_insmod(iptables_t, iptables_roles) modutils_run_insmod(iptables_t, iptables_roles)
') ')
@@ -124,6 +142,12 @@ optional_policy(` @@ -124,6 +142,16 @@ optional_policy(`
optional_policy(` optional_policy(`
psad_rw_tmp_files(iptables_t) psad_rw_tmp_files(iptables_t)
@ -34079,12 +34128,16 @@ index be8ed1e..231b21d 100644
+') +')
+ +
+optional_policy(` +optional_policy(`
+ ctdbd_read_lib_files(iptables_t)
+')
+
+optional_policy(`
+ neutron_rw_inherited_pipes(iptables_t) + neutron_rw_inherited_pipes(iptables_t)
+ neutron_sigchld(iptables_t) + neutron_sigchld(iptables_t)
') ')
optional_policy(` optional_policy(`
@@ -135,9 +159,9 @@ optional_policy(` @@ -135,9 +163,9 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -42673,7 +42726,7 @@ index 0000000..d2a8fc7
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..0401ad8 index 0000000..ea27f86
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,721 @@ @@ -0,0 +1,721 @@
@ -42946,7 +42999,7 @@ index 0000000..0401ad8
+ +
+dev_read_sysfs(systemd_networkd_t) +dev_read_sysfs(systemd_networkd_t)
+ +
+auth_read_passwd(systemd_networkd_t) +auth_use_nsswitch(systemd_networkd_t)
+ +
+sysnet_manage_config(systemd_networkd_t) +sysnet_manage_config(systemd_networkd_t)
+sysnet_manage_config_dirs(systemd_networkd_t) +sysnet_manage_config_dirs(systemd_networkd_t)

View File

@ -18378,10 +18378,10 @@ index 1303b30..759412f 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3) + logging_log_filetrans($1, cron_log_t, $2, $3)
') ')
diff --git a/cron.te b/cron.te diff --git a/cron.te b/cron.te
index 7de3859..0ee059a 100644 index 7de3859..9d2cd2d 100644
--- a/cron.te --- a/cron.te
+++ b/cron.te +++ b/cron.te
@@ -11,46 +11,46 @@ gen_require(` @@ -11,46 +11,54 @@ gen_require(`
## <desc> ## <desc>
## <p> ## <p>
@ -18404,10 +18404,18 @@ index 7de3859..0ee059a 100644
+## Determine whether crond can execute jobs +## Determine whether crond can execute jobs
+## in the user domain as opposed to the +## in the user domain as opposed to the
+## the generic cronjob domain. +## the generic cronjob domain.
+## </p>
+## </desc>
+gen_tunable(cron_userdomain_transition, true)
+
+## <desc>
+## <p>
+## Allow system cronjob to be executed on
+## on NFS, CIFS or FUSE filesystem.
+## </p> +## </p>
## </desc> ## </desc>
-gen_tunable(cron_userdomain_transition, false) -gen_tunable(cron_userdomain_transition, false)
+gen_tunable(cron_userdomain_transition, true) +gen_tunable(cron_system_cronjob_use_shares, false)
## <desc> ## <desc>
## <p> ## <p>
@ -18442,7 +18450,7 @@ index 7de3859..0ee059a 100644
type cron_log_t; type cron_log_t;
logging_log_file(cron_log_t) logging_log_file(cron_log_t)
@@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t) @@ -71,6 +79,9 @@ domain_cron_exemption_source(crond_t)
type crond_initrc_exec_t; type crond_initrc_exec_t;
init_script_file(crond_initrc_exec_t) init_script_file(crond_initrc_exec_t)
@ -18452,7 +18460,7 @@ index 7de3859..0ee059a 100644
type crond_tmp_t; type crond_tmp_t;
files_tmp_file(crond_tmp_t) files_tmp_file(crond_tmp_t)
files_poly_parent(crond_tmp_t) files_poly_parent(crond_tmp_t)
@@ -92,15 +95,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; @@ -92,15 +103,17 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@ -18473,7 +18481,7 @@ index 7de3859..0ee059a 100644
type system_cronjob_lock_t alias system_crond_lock_t; type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t) files_lock_file(system_cronjob_lock_t)
@@ -108,94 +113,34 @@ files_lock_file(system_cronjob_lock_t) @@ -108,94 +121,34 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t; type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t) files_tmp_file(system_cronjob_tmp_t)
@ -18580,7 +18588,7 @@ index 7de3859..0ee059a 100644
selinux_get_fs_mount(admin_crontab_t) selinux_get_fs_mount(admin_crontab_t)
selinux_validate_context(admin_crontab_t) selinux_validate_context(admin_crontab_t)
selinux_compute_access_vector(admin_crontab_t) selinux_compute_access_vector(admin_crontab_t)
@@ -204,22 +149,26 @@ selinux_compute_relabel_context(admin_crontab_t) @@ -204,22 +157,26 @@ selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t)
tunable_policy(`fcron_crond',` tunable_policy(`fcron_crond',`
@ -18610,7 +18618,7 @@ index 7de3859..0ee059a 100644
allow crond_t self:shm create_shm_perms; allow crond_t self:shm create_shm_perms;
allow crond_t self:sem create_sem_perms; allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms; allow crond_t self:msgq create_msgq_perms;
@@ -227,7 +176,7 @@ allow crond_t self:msg { send receive }; @@ -227,7 +184,7 @@ allow crond_t self:msg { send receive };
allow crond_t self:key { search write link }; allow crond_t self:key { search write link };
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
@ -18619,7 +18627,7 @@ index 7de3859..0ee059a 100644
logging_log_filetrans(crond_t, cron_log_t, file) logging_log_filetrans(crond_t, cron_log_t, file)
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
@@ -237,73 +186,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) @@ -237,73 +194,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@ -18723,7 +18731,7 @@ index 7de3859..0ee059a 100644
auth_use_nsswitch(crond_t) auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t) logging_send_audit_msgs(crond_t)
@@ -312,41 +256,46 @@ logging_set_loginuid(crond_t) @@ -312,41 +264,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t) seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t) seutil_read_default_contexts(crond_t)
@ -18786,7 +18794,7 @@ index 7de3859..0ee059a 100644
') ')
optional_policy(` optional_policy(`
@@ -354,103 +303,135 @@ optional_policy(` @@ -354,103 +311,141 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18916,6 +18924,12 @@ index 7de3859..0ee059a 100644
+# for this purpose. +# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint; +allow system_cronjob_t system_cron_spool_t:file entrypoint;
+ +
+tunable_policy(`cron_system_cronjob_use_shares',`
+ fs_fusefs_entrypoint(system_cronjob_t)
+ fs_nfs_entrypoint(system_cronjob_t)
+ fs_cifs_entrypoint(system_cronjob_t)
+')
+
+# Permit a transition from the crond_t domain to this domain. +# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond +# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic +# via setexeccon. There is no way to set up an automatic
@ -18953,7 +18967,7 @@ index 7de3859..0ee059a 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms;
@@ -461,11 +442,11 @@ kernel_read_network_state(system_cronjob_t) @@ -461,11 +456,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t)
@ -18966,7 +18980,7 @@ index 7de3859..0ee059a 100644
corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t)
@@ -485,6 +466,7 @@ fs_getattr_all_symlinks(system_cronjob_t) @@ -485,6 +480,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t)
@ -18974,7 +18988,7 @@ index 7de3859..0ee059a 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t) domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t) files_exec_etc_files(system_cronjob_t)
@@ -495,17 +477,22 @@ files_getattr_all_files(system_cronjob_t) @@ -495,17 +491,22 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t)
@ -18999,7 +19013,7 @@ index 7de3859..0ee059a 100644
auth_use_nsswitch(system_cronjob_t) auth_use_nsswitch(system_cronjob_t)
@@ -516,20 +503,26 @@ logging_read_generic_logs(system_cronjob_t) @@ -516,20 +517,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t)
@ -19029,7 +19043,7 @@ index 7de3859..0ee059a 100644
selinux_validate_context(system_cronjob_t) selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t) selinux_compute_create_context(system_cronjob_t)
@@ -539,10 +532,18 @@ tunable_policy(`cron_can_relabel',` @@ -539,10 +546,18 @@ tunable_policy(`cron_can_relabel',`
') ')
optional_policy(` optional_policy(`
@ -19048,7 +19062,7 @@ index 7de3859..0ee059a 100644
') ')
optional_policy(` optional_policy(`
@@ -551,10 +552,6 @@ optional_policy(` @@ -551,10 +566,6 @@ optional_policy(`
optional_policy(` optional_policy(`
dbus_system_bus_client(system_cronjob_t) dbus_system_bus_client(system_cronjob_t)
@ -19059,7 +19073,7 @@ index 7de3859..0ee059a 100644
') ')
optional_policy(` optional_policy(`
@@ -591,6 +588,7 @@ optional_policy(` @@ -591,6 +602,7 @@ optional_policy(`
optional_policy(` optional_policy(`
mta_read_config(system_cronjob_t) mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t) mta_send_mail(system_cronjob_t)
@ -19067,7 +19081,7 @@ index 7de3859..0ee059a 100644
') ')
optional_policy(` optional_policy(`
@@ -598,7 +596,23 @@ optional_policy(` @@ -598,7 +610,23 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -19091,7 +19105,7 @@ index 7de3859..0ee059a 100644
') ')
optional_policy(` optional_policy(`
@@ -607,7 +621,12 @@ optional_policy(` @@ -607,7 +635,12 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -19104,7 +19118,7 @@ index 7de3859..0ee059a 100644
') ')
optional_policy(` optional_policy(`
@@ -615,12 +634,27 @@ optional_policy(` @@ -615,12 +648,27 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -19134,7 +19148,7 @@ index 7de3859..0ee059a 100644
# #
allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:process { signal_perms setsched };
@@ -628,12 +662,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; @@ -628,12 +676,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms;
@ -19168,7 +19182,7 @@ index 7de3859..0ee059a 100644
corenet_all_recvfrom_netlabel(cronjob_t) corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -641,66 +695,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) @@ -641,66 +709,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t)
@ -19643,7 +19657,7 @@ index b25b01d..6b7d687 100644
') ')
+ +
diff --git a/ctdb.te b/ctdb.te diff --git a/ctdb.te b/ctdb.te
index 001b502..61a9e2d 100644 index 001b502..bbf96d9 100644
--- a/ctdb.te --- a/ctdb.te
+++ b/ctdb.te +++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@ -19730,7 +19744,11 @@ index 001b502..61a9e2d 100644
optional_policy(` optional_policy(`
consoletype_exec(ctdbd_t) consoletype_exec(ctdbd_t)
') ')
@@ -109,6 +132,7 @@ optional_policy(` @@ -106,9 +129,11 @@ optional_policy(`
')
optional_policy(`
+ samba_signull_smbd(ctdbd_t)
samba_initrc_domtrans(ctdbd_t) samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t) samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t) samba_rw_var_files(ctdbd_t)
@ -26094,7 +26112,7 @@ index 9a21639..26c5986 100644
') ')
+ +
diff --git a/drbd.te b/drbd.te diff --git a/drbd.te b/drbd.te
index f2516cc..70ddc24 100644 index f2516cc..b371be4 100644
--- a/drbd.te --- a/drbd.te
+++ b/drbd.te +++ b/drbd.te
@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t) @@ -18,17 +18,20 @@ files_type(drbd_var_lib_t)
@ -26120,7 +26138,7 @@ index f2516cc..70ddc24 100644
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
@@ -38,18 +41,36 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) @@ -38,18 +41,37 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir)
manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t)
files_lock_filetrans(drbd_t, drbd_lock_t, file) files_lock_filetrans(drbd_t, drbd_lock_t, file)
@ -26153,6 +26171,7 @@ index f2516cc..70ddc24 100644
+modutils_exec_insmod(drbd_t) +modutils_exec_insmod(drbd_t)
+ +
+storage_raw_read_fixed_disk(drbd_t) +storage_raw_read_fixed_disk(drbd_t)
+storage_raw_write_fixed_disk(drbd_t)
sysnet_dns_name_resolve(drbd_t) sysnet_dns_name_resolve(drbd_t)
+ +
@ -54483,7 +54502,7 @@ index 0641e97..ed3394e 100644
+ admin_pattern($1, nrpe_etc_t) + admin_pattern($1, nrpe_etc_t)
') ')
diff --git a/nagios.te b/nagios.te diff --git a/nagios.te b/nagios.te
index 7b3e682..40e93b4 100644 index 7b3e682..e4b8c8a 100644
--- a/nagios.te --- a/nagios.te
+++ b/nagios.te +++ b/nagios.te
@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0) @@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@ -54721,6 +54740,15 @@ index 7b3e682..40e93b4 100644
') ')
######################################## ########################################
@@ -214,7 +271,7 @@ optional_policy(`
# Nrpe local policy
#
-allow nrpe_t self:capability { setuid setgid };
+allow nrpe_t self:capability { setuid setgid kill };
dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
allow nrpe_t self:fifo_file rw_fifo_file_perms;
@@ -229,9 +286,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) @@ -229,9 +286,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
@ -64919,10 +64947,10 @@ index 0000000..80246e6
+ +
diff --git a/pcp.te b/pcp.te diff --git a/pcp.te b/pcp.te
new file mode 100644 new file mode 100644
index 0000000..8ec1e54 index 0000000..7a3dc05
--- /dev/null --- /dev/null
+++ b/pcp.te +++ b/pcp.te
@@ -0,0 +1,236 @@ @@ -0,0 +1,240 @@
+policy_module(pcp, 1.0.0) +policy_module(pcp, 1.0.0)
+ +
+######################################## +########################################
@ -65062,6 +65090,10 @@ index 0000000..8ec1e54
+userdom_read_user_tmp_files(pcp_pmcd_t) +userdom_read_user_tmp_files(pcp_pmcd_t)
+ +
+optional_policy(` +optional_policy(`
+ mysql_stream_connect(pcp_pmcd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(pcp_pmcd_t) + dbus_system_bus_client(pcp_pmcd_t)
+ +
+ optional_policy(` + optional_policy(`
@ -73259,10 +73291,10 @@ index cc426e6..fe5d842 100644
+') +')
diff --git a/prosody.fc b/prosody.fc diff --git a/prosody.fc b/prosody.fc
new file mode 100644 new file mode 100644
index 0000000..96a0d9f index 0000000..c056a2f
--- /dev/null --- /dev/null
+++ b/prosody.fc +++ b/prosody.fc
@@ -0,0 +1,8 @@ @@ -0,0 +1,10 @@
+/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0) +/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0)
+/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0) +/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0)
+ +
@ -73271,6 +73303,8 @@ index 0000000..96a0d9f
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0) +/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0)
+ +
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0) +/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
+
+/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0)
diff --git a/prosody.if b/prosody.if diff --git a/prosody.if b/prosody.if
new file mode 100644 new file mode 100644
index 0000000..44ed5ad index 0000000..44ed5ad
@ -73514,10 +73548,10 @@ index 0000000..44ed5ad
+') +')
diff --git a/prosody.te b/prosody.te diff --git a/prosody.te b/prosody.te
new file mode 100644 new file mode 100644
index 0000000..ad32ffe index 0000000..f48f1b9
--- /dev/null --- /dev/null
+++ b/prosody.te +++ b/prosody.te
@@ -0,0 +1,75 @@ @@ -0,0 +1,85 @@
+policy_module(prosody, 1.0.0) +policy_module(prosody, 1.0.0)
+ +
+######################################## +########################################
@ -73537,6 +73571,9 @@ index 0000000..ad32ffe
+type prosody_exec_t; +type prosody_exec_t;
+init_daemon_domain(prosody_t, prosody_exec_t) +init_daemon_domain(prosody_t, prosody_exec_t)
+ +
+type prosody_log_t;
+logging_log_file(prosody_log_t)
+
+type prosody_var_lib_t; +type prosody_var_lib_t;
+files_type(prosody_var_lib_t) +files_type(prosody_var_lib_t)
+ +
@ -73550,7 +73587,7 @@ index 0000000..ad32ffe
+# +#
+# prosody local policy +# prosody local policy
+# +#
+allow prosody_t self:capability { setuid setgid }; +allow prosody_t self:capability { setuid setgid dac_read_search dac_override };
+allow prosody_t self:process { signal_perms execmem }; +allow prosody_t self:process { signal_perms execmem };
+allow prosody_t self:tcp_socket create_stream_socket_perms; +allow prosody_t self:tcp_socket create_stream_socket_perms;
+ +
@ -73564,6 +73601,11 @@ index 0000000..ad32ffe
+manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) +manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
+files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file }) +files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file })
+ +
+manage_dirs_pattern(prosody_t, prosody_log_t, prosody_log_t)
+manage_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t)
+logging_log_filetrans(prosody_t, prosody_log_t, { file dir })
+
+can_exec(prosody_t, prosody_exec_t) +can_exec(prosody_t, prosody_exec_t)
+ +
+kernel_read_system_state(prosody_t) +kernel_read_system_state(prosody_t)
@ -73572,11 +73614,13 @@ index 0000000..ad32ffe
+corecmd_exec_shell(prosody_t) +corecmd_exec_shell(prosody_t)
+ +
+corenet_udp_bind_generic_node(prosody_t) +corenet_udp_bind_generic_node(prosody_t)
+corenet_tcp_connect_postgresql_port(prosody_t)
+corenet_tcp_connect_jabber_interserver_port(prosody_t) +corenet_tcp_connect_jabber_interserver_port(prosody_t)
+corenet_tcp_connect_jabber_client_port(prosody_t) +corenet_tcp_connect_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_client_port(prosody_t) +corenet_tcp_bind_jabber_client_port(prosody_t)
+corenet_tcp_bind_jabber_interserver_port(prosody_t) +corenet_tcp_bind_jabber_interserver_port(prosody_t)
+corenet_tcp_bind_jabber_router_port(prosody_t) +corenet_tcp_bind_jabber_router_port(prosody_t)
+
+tunable_policy(`prosody_bind_http_port',` +tunable_policy(`prosody_bind_http_port',`
+ corenet_tcp_bind_http_port(prosody_t) + corenet_tcp_bind_http_port(prosody_t)
+') +')
@ -88717,7 +88761,7 @@ index b8b66ff..a93346e 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+') +')
diff --git a/samba.if b/samba.if diff --git a/samba.if b/samba.if
index 50d07fb..59296a2 100644 index 50d07fb..556b25d 100644
--- a/samba.if --- a/samba.if
+++ b/samba.if +++ b/samba.if
@@ -1,8 +1,12 @@ @@ -1,8 +1,12 @@
@ -89168,8 +89212,27 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -507,8 +624,7 @@ interface(`samba_signal_smbd',` @@ -505,10 +622,26 @@ interface(`samba_signal_smbd',`
allow $1 smbd_t:process signal;
')
+######################################
+## <summary>
+## Allow domain to signull samba
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_signull_smbd',`
+ gen_require(`
+ type smbd_t;
+ ')
+ allow $1 smbd_t:process signull;
+')
+
######################################## ########################################
## <summary> ## <summary>
-## Do not audit attempts to inherit -## Do not audit attempts to inherit
@ -89178,7 +89241,7 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -526,7 +642,7 @@ interface(`samba_dontaudit_use_fds',` @@ -526,7 +659,7 @@ interface(`samba_dontaudit_use_fds',`
######################################## ########################################
## <summary> ## <summary>
@ -89187,7 +89250,7 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -544,7 +660,7 @@ interface(`samba_write_smbmount_tcp_sockets',` @@ -544,7 +677,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
######################################## ########################################
## <summary> ## <summary>
@ -89196,7 +89259,7 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -560,49 +676,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` @@ -560,49 +693,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
allow $1 smbmount_t:tcp_socket { read write }; allow $1 smbmount_t:tcp_socket { read write };
') ')
@ -89265,7 +89328,7 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -618,16 +732,16 @@ interface(`samba_getattr_winbind_exec',` @@ -618,16 +749,16 @@ interface(`samba_getattr_winbind_exec',`
# #
interface(`samba_run_winbind_helper',` interface(`samba_run_winbind_helper',`
gen_require(` gen_require(`
@ -89285,7 +89348,7 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -637,17 +751,16 @@ interface(`samba_run_winbind_helper',` @@ -637,17 +768,16 @@ interface(`samba_run_winbind_helper',`
# #
interface(`samba_read_winbind_pid',` interface(`samba_read_winbind_pid',`
gen_require(` gen_require(`
@ -89307,7 +89370,7 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -657,17 +770,61 @@ interface(`samba_read_winbind_pid',` @@ -657,17 +787,61 @@ interface(`samba_read_winbind_pid',`
# #
interface(`samba_stream_connect_winbind',` interface(`samba_stream_connect_winbind',`
gen_require(` gen_require(`
@ -89374,7 +89437,7 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -676,7 +833,7 @@ interface(`samba_stream_connect_winbind',` @@ -676,7 +850,7 @@ interface(`samba_stream_connect_winbind',`
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -89383,15 +89446,17 @@ index 50d07fb..59296a2 100644
## </summary> ## </summary>
## </param> ## </param>
## <rolecap/> ## <rolecap/>
@@ -689,11 +846,29 @@ interface(`samba_admin',` @@ -689,11 +863,29 @@ interface(`samba_admin',`
type samba_etc_t, samba_share_t, samba_initrc_exec_t; type samba_etc_t, samba_share_t, samba_initrc_exec_t;
type swat_var_run_t, swat_tmp_t, winbind_log_t; type swat_var_run_t, swat_tmp_t, winbind_log_t;
type winbind_var_run_t, winbind_tmp_t; type winbind_var_run_t, winbind_tmp_t;
- type smbd_keytab_t; - type smbd_keytab_t;
+ type smbd_keytab_t, samba_unit_file_t; + type smbd_keytab_t, samba_unit_file_t;
+ type samba_unconfined_script_t; + type samba_unconfined_script_t;
+ ') ')
+
- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { nmbd_t smbd_t })
+ allow $1 smbd_t:process signal_perms; + allow $1 smbd_t:process signal_perms;
+ ps_process_pattern($1, smbd_t) + ps_process_pattern($1, smbd_t)
+ +
@ -89399,10 +89464,8 @@ index 50d07fb..59296a2 100644
+ allow $1 smbd_t:process ptrace; + allow $1 smbd_t:process ptrace;
+ allow $1 nmbd_t:process ptrace; + allow $1 nmbd_t:process ptrace;
+ allow $1 samba_unconfined_script_t:process ptrace; + allow $1 samba_unconfined_script_t:process ptrace;
') + ')
+
- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { nmbd_t smbd_t })
+ allow $1 nmbd_t:process signal_perms; + allow $1 nmbd_t:process signal_perms;
+ ps_process_pattern($1, nmbd_t) + ps_process_pattern($1, nmbd_t)
+ +
@ -89416,7 +89479,7 @@ index 50d07fb..59296a2 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t) init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
@@ -703,23 +878,34 @@ interface(`samba_admin',` @@ -703,23 +895,34 @@ interface(`samba_admin',`
files_list_etc($1) files_list_etc($1)
admin_pattern($1, { samba_etc_t smbd_keytab_t }) admin_pattern($1, { samba_etc_t smbd_keytab_t })
@ -89427,11 +89490,11 @@ index 50d07fb..59296a2 100644
- files_list_var($1) - files_list_var($1)
- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) - admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
+ admin_pattern($1, samba_secrets_t) + admin_pattern($1, samba_secrets_t)
+
+ admin_pattern($1, samba_share_t)
- files_list_spool($1) - files_list_spool($1)
- admin_pattern($1, smbd_spool_t) - admin_pattern($1, smbd_spool_t)
+ admin_pattern($1, samba_share_t)
+
+ admin_pattern($1, samba_var_t) + admin_pattern($1, samba_var_t)
+ files_list_var($1) + files_list_var($1)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 133%{?dist} Release: 134%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -602,6 +602,17 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Thu Jul 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-134
- Allow ctdb_t sending signull to smbd_t, for checking if smbd process exists. BZ(1224879)
- Fix cron_system_cronjob_use_shares boolean to call fs interfaces which contain only entrypoint permission.
- Add cron_system_cronjob_use_shares boolean to allow system cronjob to be executed from shares - NFS, CIFS, FUSE. It requires "entrypoint" permissios on nfs_t, cifs_t and fusefs_t SELinux types.
- Merge remote-tracking branch 'refs/remotes/origin/rawhide-contrib' into rawhide-contrib
- nrpe needs kill capability to make gluster moniterd nodes working.
- Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
- Allow prosody connect to postgresql port.
- Add new interfaces
- Add fs_fusefs_entry_type() interface.
* Tue Jun 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-133 * Tue Jun 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-133
- Cleanup permissive domains. - Cleanup permissive domains.