diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 31797a49..8ad8253d 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2255,3 +2255,17 @@ smsd = module # policy for pesign # pesign = module + +# Layer: contrib +# Module: nsd +# +# Fast and lean authoritative DNS Name Server +# +nsd = module + +# Layer: contrib +# Module: iodine +# +# Fast and lean authoritative DNS Name Server +# +iodine = module diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 377dc48c..2efeb50a 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5170,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..68176bb 100644 +index 4edc40d..b48abbe 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5400,7 +5400,7 @@ index 4edc40d..68176bb 100644 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) -@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5415,6 +5415,7 @@ index 4edc40d..68176bb 100644 network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) +network_port(time, tcp,37,s0, udp,37,s0) ++network_port(redis, tcp,6379,s0) network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) @@ -5449,7 +5450,7 @@ index 4edc40d..68176bb 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5460,7 +5461,7 @@ index 4edc40d..68176bb 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5473,7 +5474,7 @@ index 4edc40d..68176bb 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0) +@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -5492,7 +5493,7 @@ index 4edc40d..68176bb 100644 ######################################## # -@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5501,7 +5502,7 @@ index 4edc40d..68176bb 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -33356,15 +33357,14 @@ index 3822072..1029e3b 100644 + userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..64db314 100644 +index ec01d0b..e2b829b 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te -@@ -11,14 +11,17 @@ gen_require(` +@@ -11,14 +11,16 @@ gen_require(` attribute can_write_binary_policy; attribute can_relabelto_binary_policy; +attribute setfiles_domain; -+attribute seutil_semanage_domain; +attribute policy_manager_domain; -attribute_role newrole_roles; @@ -33382,7 +33382,7 @@ index ec01d0b..64db314 100644 # # selinux_config_t is the type applied to -@@ -28,7 +31,13 @@ roleattribute system_r semanage_roles; +@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles; # in the domain_type interface # (fix dup decl) type selinux_config_t; @@ -33397,7 +33397,7 @@ index ec01d0b..64db314 100644 type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; -@@ -40,14 +49,14 @@ role system_r types checkpolicy_t; +@@ -40,14 +48,14 @@ role system_r types checkpolicy_t; # /etc/selinux/*/contexts/* # type default_context_t; @@ -33414,7 +33414,7 @@ index ec01d0b..64db314 100644 type load_policy_t; type load_policy_exec_t; -@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t) +@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t) domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) domain_interactive_fd(newrole_t) @@ -33438,7 +33438,7 @@ index ec01d0b..64db314 100644 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -83,7 +98,6 @@ type restorecond_t; +@@ -83,7 +97,6 @@ type restorecond_t; type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -33446,7 +33446,7 @@ index ec01d0b..64db314 100644 type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -92,25 +106,32 @@ type run_init_t; +@@ -92,25 +105,32 @@ type run_init_t; type run_init_exec_t; application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) @@ -33485,7 +33485,7 @@ index ec01d0b..64db314 100644 type semanage_var_lib_t; files_type(semanage_var_lib_t) -@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t; +@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -33497,7 +33497,7 @@ index ec01d0b..64db314 100644 ######################################## # # Checkpolicy local policy -@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) +@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) allow checkpolicy_t selinux_config_t:dir search_dir_perms; @@ -33505,7 +33505,7 @@ index ec01d0b..64db314 100644 domain_use_interactive_fds(checkpolicy_t) -@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t) +@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t) init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) @@ -33514,7 +33514,7 @@ index ec01d0b..64db314 100644 userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` -@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t) +@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -33531,7 +33531,7 @@ index ec01d0b..64db314 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',` +@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',` ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; @@ -33539,7 +33539,7 @@ index ec01d0b..64db314 100644 optional_policy(` unconfined_dontaudit_read_pipes(load_policy_t) -@@ -215,12 +243,17 @@ optional_policy(` +@@ -215,12 +242,17 @@ optional_policy(` portage_dontaudit_use_fds(load_policy_t) ') @@ -33558,7 +33558,7 @@ index ec01d0b..64db314 100644 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms; +@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -33567,7 +33567,7 @@ index ec01d0b..64db314 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t) +@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) @@ -33575,7 +33575,7 @@ index ec01d0b..64db314 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t) +@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -33617,7 +33617,7 @@ index ec01d0b..64db314 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -309,7 +352,7 @@ if(secure_mode) { +@@ -309,7 +351,7 @@ if(secure_mode) { userdom_spec_domtrans_all_users(newrole_t) } @@ -33626,7 +33626,7 @@ index ec01d0b..64db314 100644 files_polyinstantiate_all(newrole_t) ') -@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t) +@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -33641,7 +33641,7 @@ index ec01d0b..64db314 100644 fs_list_inotifyfs(restorecond_t) selinux_validate_context(restorecond_t) -@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t) +@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) @@ -33661,7 +33661,7 @@ index ec01d0b..64db314 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -366,21 +414,24 @@ optional_policy(` +@@ -366,21 +413,24 @@ optional_policy(` # Run_init local policy # @@ -33688,7 +33688,7 @@ index ec01d0b..64db314 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t) +@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -33724,7 +33724,7 @@ index ec01d0b..64db314 100644 ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` -@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',` +@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -33744,7 +33744,7 @@ index ec01d0b..64db314 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +511,87 @@ optional_policy(` +@@ -440,81 +510,87 @@ optional_policy(` # semodule local policy # @@ -33885,7 +33885,7 @@ index ec01d0b..64db314 100644 ') ######################################## -@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -34151,7 +34151,7 @@ index ec01d0b..64db314 100644 +userdom_use_user_ptys(policy_manager_domain) + +files_rw_inherited_generic_pid_files(setfiles_domain) -+files_rw_inherited_generic_pid_files(seutil_semanage_domain) ++files_rw_inherited_generic_pid_files(policy_manager_domain) diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc index bea4629..06e2834 100644 --- a/policy/modules/system/setrans.fc @@ -38249,7 +38249,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..4f43578 100644 +index 3c5dba7..4129aa6 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39192,7 +39192,7 @@ index 3c5dba7..4f43578 100644 + allow $1_t self:process ~{ ptrace execmem execstack execheap }; + + tunable_policy(`selinuxuser_use_ssh_chroot',` -+ allow $1_t self:capability { setuid sys_chroot }; ++ allow $1_t self:capability { setuid setgid sys_chroot }; + ') - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 203ed180..ae88cc09 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4528,7 +4528,7 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..392480e 100644 +index 1a82e29..69725f8 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5611,17 +5611,17 @@ index 1a82e29..392480e 100644 - userdom_use_user_terminals(httpd_t) -',` - userdom_dontaudit_use_user_terminals(httpd_t) --') -- ++ userdom_use_inherited_user_terminals(httpd_t) ++ userdom_use_inherited_user_terminals(httpd_suexec_t) + ') + -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_cifs_dirs(httpd_t) - fs_manage_cifs_files(httpd_t) - fs_manage_cifs_symlinks(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_suexec_t) - ') - +-') +- -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) -') @@ -5791,7 +5791,7 @@ index 1a82e29..392480e 100644 ') optional_policy(` -@@ -836,20 +984,38 @@ optional_policy(` +@@ -836,20 +984,39 @@ optional_policy(` ') optional_policy(` @@ -5817,6 +5817,7 @@ index 1a82e29..392480e 100644 + pki_manage_apache_lib(httpd_t) + pki_manage_apache_log_files(httpd_t) + pki_manage_apache_run(httpd_t) ++ pki_read_tomcat_cert(httpd_t) +') - tunable_policy(`httpd_can_network_connect_db',` @@ -5836,7 +5837,7 @@ index 1a82e29..392480e 100644 ') optional_policy(` -@@ -857,6 +1023,16 @@ optional_policy(` +@@ -857,6 +1024,16 @@ optional_policy(` ') optional_policy(` @@ -5853,7 +5854,7 @@ index 1a82e29..392480e 100644 seutil_sigchld_newrole(httpd_t) ') -@@ -865,11 +1041,16 @@ optional_policy(` +@@ -865,11 +1042,16 @@ optional_policy(` ') optional_policy(` @@ -5870,7 +5871,7 @@ index 1a82e29..392480e 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1058,165 @@ optional_policy(` +@@ -877,65 +1059,170 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -5879,6 +5880,11 @@ index 1a82e29..392480e 100644 + zarafa_stream_connect_server(httpd_t) + zarafa_search_config(httpd_t) +') ++ ++optional_policy(` ++ zoneminder_manage_lib_dirs(httpd_t) ++ zoneminder_manage_lib_files(httpd_t) ++') + ######################################## # @@ -6058,7 +6064,7 @@ index 1a82e29..392480e 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1225,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1231,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6213,7 +6219,7 @@ index 1a82e29..392480e 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1309,104 @@ optional_policy(` +@@ -1077,172 +1315,104 @@ optional_policy(` ') ') @@ -6238,8 +6244,7 @@ index 1a82e29..392480e 100644 - -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -+allow httpd_sys_script_t self:process getsched; - +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6247,7 +6252,8 @@ index 1a82e29..392480e 100644 -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) -corenet_tcp_sendrecv_generic_node(httpd_script_domains) -- ++allow httpd_sys_script_t self:process getsched; + -corecmd_exec_all_executables(httpd_script_domains) +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; @@ -6392,10 +6398,10 @@ index 1a82e29..392480e 100644 -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; - -kernel_read_kernel_sysctls(httpd_sys_script_t) +- +-fs_search_auto_mountpoints(httpd_sys_script_t) +corenet_all_recvfrom_netlabel(httpd_sys_script_t) --fs_search_auto_mountpoints(httpd_sys_script_t) -- -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -6449,7 +6455,7 @@ index 1a82e29..392480e 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1414,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1420,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6546,7 +6552,7 @@ index 1a82e29..392480e 100644 ######################################## # -@@ -1315,8 +1489,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1495,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6563,7 +6569,7 @@ index 1a82e29..392480e 100644 ') ######################################## -@@ -1324,49 +1505,36 @@ optional_policy(` +@@ -1324,49 +1511,36 @@ optional_policy(` # User content local policy # @@ -6627,7 +6633,7 @@ index 1a82e29..392480e 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1544,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1550,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -10494,10 +10500,10 @@ index 0000000..5977d96 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..f4a8884 +index 0000000..25f2d55 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,237 @@ +@@ -0,0 +1,238 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -10595,6 +10601,7 @@ index 0000000..f4a8884 +corenet_tcp_connect_tor_port(chrome_sandbox_t) +corenet_tcp_connect_transproxy_port(chrome_sandbox_t) +corenet_tcp_connect_vnc_port(chrome_sandbox_t) ++corenet_tcp_connect_whois_port(chrome_sandbox_t) +corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) +corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) + @@ -13298,7 +13305,7 @@ index 5b830ec..0647a3b 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index 5f0c793..f473adf 100644 +index 5f0c793..ecd0397 100644 --- a/consolekit.te +++ b/consolekit.te @@ -19,12 +19,16 @@ type consolekit_var_run_t; @@ -13318,7 +13325,7 @@ index 5f0c793..f473adf 100644 allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket { accept listen }; -@@ -54,17 +58,13 @@ dev_read_sysfs(consolekit_t) +@@ -54,37 +58,35 @@ dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) @@ -13336,7 +13343,11 @@ index 5f0c793..f473adf 100644 term_use_all_terms(consolekit_t) auth_use_nsswitch(consolekit_t) -@@ -74,17 +74,17 @@ auth_write_login_records(consolekit_t) + auth_manage_pam_console_data(consolekit_t) + auth_write_login_records(consolekit_t) + ++init_read_utmp(consolekit_t) ++ logging_send_syslog_msg(consolekit_t) logging_send_audit_msgs(consolekit_t) @@ -13360,7 +13371,7 @@ index 5f0c793..f473adf 100644 ') ifdef(`distro_debian',` -@@ -112,13 +112,6 @@ optional_policy(` +@@ -112,13 +114,6 @@ optional_policy(` ') ') @@ -22435,7 +22446,7 @@ index 18f2452..a446210 100644 + ') diff --git a/dspam.te b/dspam.te -index 266cb8f..63643a8 100644 +index 266cb8f..c736297 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -22448,12 +22459,22 @@ index 266cb8f..63643a8 100644 allow dspam_t self:fifo_file rw_fifo_file_perms; allow dspam_t self:unix_stream_socket { accept listen }; -@@ -64,14 +67,33 @@ auth_use_nsswitch(dspam_t) +@@ -58,20 +61,42 @@ corenet_tcp_bind_spamd_port(dspam_t) + corenet_tcp_connect_spamd_port(dspam_t) + corenet_tcp_sendrecv_spamd_port(dspam_t) + ++kernel_read_system_state(dspam_t) ++ ++corecmd_exec_shell(dspam_t) ++ + files_search_spool(dspam_t) + + auth_use_nsswitch(dspam_t) logging_send_syslog_msg(dspam_t) -miscfiles_read_localization(dspam_t) - +- optional_policy(` apache_content_template(dspam) @@ -22485,13 +22506,14 @@ index 266cb8f..63643a8 100644 ') optional_policy(` -@@ -87,3 +109,11 @@ optional_policy(` +@@ -87,3 +112,12 @@ optional_policy(` postgresql_tcp_connect(dspam_t) ') + +optional_policy(` + postfix_rw_inherited_master_pipes(dspam_t) ++ postfix_list_spool(dspam_t) +') + +optional_policy(` @@ -23073,9 +23095,18 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..d336d7f 100644 +index 0872e50..598e4ee 100644 --- a/fail2ban.te +++ b/fail2ban.te +@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; + # + + allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; +-allow fail2ban_t self:process signal; ++allow fail2ban_t self:process { setsched signal }; + allow fail2ban_t self:fifo_file rw_fifo_file_perms; + allow fail2ban_t self:unix_stream_socket { accept connectto listen }; + allow fail2ban_t self:tcp_socket { accept listen }; @@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) corecmd_exec_shell(fail2ban_t) @@ -23092,7 +23123,7 @@ index 0872e50..d336d7f 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -92,12 +90,10 @@ auth_use_nsswitch(fail2ban_t) +@@ -92,22 +90,33 @@ auth_use_nsswitch(fail2ban_t) logging_read_all_logs(fail2ban_t) logging_send_syslog_msg(fail2ban_t) @@ -23107,7 +23138,19 @@ index 0872e50..d336d7f 100644 optional_policy(` apache_read_log(fail2ban_t) -@@ -108,6 +104,10 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_bus_client(fail2ban_t) ++ dbus_connect_system_bus(fail2ban_t) ++ ++ optional_policy(` ++ firewalld_dbus_chat(fail2ban_t) ++ ') ++') ++ ++optional_policy(` + ftp_read_log(fail2ban_t) ') optional_policy(` @@ -23118,7 +23161,18 @@ index 0872e50..d336d7f 100644 iptables_domtrans(fail2ban_t) ') -@@ -129,6 +129,7 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -116,6 +125,10 @@ optional_policy(` + ') + + optional_policy(` ++ rpm_exec(fail2ban_t) ++') ++ ++optional_policy(` + shorewall_domtrans(fail2ban_t) + ') + +@@ -129,22 +142,24 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -23126,8 +23180,12 @@ index 0872e50..d336d7f 100644 stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) kernel_read_system_state(fail2ban_client_t) -@@ -137,14 +138,12 @@ corecmd_exec_bin(fail2ban_client_t) + corecmd_exec_bin(fail2ban_client_t) + ++dev_read_urand(fail2ban_client_t) ++dev_read_rand(fail2ban_client_t) ++ domain_use_interactive_fds(fail2ban_client_t) -files_read_etc_files(fail2ban_client_t) @@ -23308,14 +23366,14 @@ index 21d7b84..0e272bd 100644 /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if -index 5cf6ac6..62547ee 100644 +index 5cf6ac6..0fc685b 100644 --- a/firewalld.if +++ b/firewalld.if @@ -2,6 +2,66 @@ ######################################## ## -+## Execute a domain transition to run firewalld. ++## Read firewalld config +## +## +## @@ -23323,15 +23381,15 @@ index 5cf6ac6..62547ee 100644 +## +## +# -+interface(`firewalld_domtrans',` ++interface(`firewalld_read_config',` + gen_require(` -+ type firewalld_t, firewalld_exec_t; ++ type firewalld_etc_rw_t; + ') + -+ domtrans_pattern($1, firewalld_exec_t, firewalld_t) ++ files_search_etc($1) ++ read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) +') + -+ +######################################## +## +## Execute firewalld server in the firewalld domain. @@ -28645,10 +28703,10 @@ index 0000000..f4659d1 +/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) diff --git a/gssproxy.if b/gssproxy.if new file mode 100644 -index 0000000..072ddb0 +index 0000000..28263c7 --- /dev/null +++ b/gssproxy.if -@@ -0,0 +1,203 @@ +@@ -0,0 +1,204 @@ + +## policy for gssproxy + @@ -28803,11 +28861,12 @@ index 0000000..072ddb0 +# +interface(`gssproxy_stream_connect',` + gen_require(` -+ type gssproxy_t, gssproxy_var_run_t; ++ type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t) ++ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + +######################################## @@ -34651,7 +34710,7 @@ index 7bab8e5..3baae66 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index 4256a4c..0311d82 100644 +index 4256a4c..a8dde53 100644 --- a/logwatch.te +++ b/logwatch.te @@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6) @@ -34664,7 +34723,17 @@ index 4256a4c..0311d82 100644 type logwatch_cache_t; files_type(logwatch_cache_t) -@@ -67,10 +68,11 @@ files_list_var(logwatch_t) +@@ -37,7 +38,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; + manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) + manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) + +-allow logwatch_t logwatch_lock_t:file manage_file_perms; ++manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t) ++manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t) + files_lock_filetrans(logwatch_t, logwatch_lock_t, file) + + manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) +@@ -67,10 +69,11 @@ files_list_var(logwatch_t) files_search_all(logwatch_t) files_read_var_symlinks(logwatch_t) files_read_etc_runtime_files(logwatch_t) @@ -34677,7 +34746,7 @@ index 4256a4c..0311d82 100644 fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -@@ -92,13 +94,12 @@ libs_read_lib_files(logwatch_t) +@@ -92,13 +95,12 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -34692,7 +34761,7 @@ index 4256a4c..0311d82 100644 mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) -@@ -137,6 +138,11 @@ optional_policy(` +@@ -137,6 +139,11 @@ optional_policy(` ') optional_policy(` @@ -34704,7 +34773,7 @@ index 4256a4c..0311d82 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -164,6 +170,12 @@ dev_read_sysfs(logwatch_mail_t) +@@ -164,6 +171,12 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -35387,7 +35456,7 @@ index 108c0f1..a248501 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index 8eaf51b..16086a5 100644 +index 8eaf51b..3229e0f 100644 --- a/mailman.te +++ b/mailman.te @@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4) @@ -35403,7 +35472,14 @@ index 8eaf51b..16086a5 100644 attribute mailman_domain; -@@ -56,10 +62,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +@@ -50,16 +56,11 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t) + manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t) + files_lock_filetrans(mailman_domain, mailman_lock_t, file) + +-append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +-create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +-setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) ++manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) logging_log_filetrans(mailman_domain, mailman_log_t, file) kernel_read_kernel_sysctls(mailman_domain) @@ -35414,7 +35490,7 @@ index 8eaf51b..16086a5 100644 corenet_tcp_sendrecv_generic_if(mailman_domain) corenet_tcp_sendrecv_generic_node(mailman_domain) -@@ -82,10 +85,6 @@ fs_getattr_all_fs(mailman_domain) +@@ -82,10 +83,6 @@ fs_getattr_all_fs(mailman_domain) libs_exec_ld_so(mailman_domain) libs_exec_lib_files(mailman_domain) @@ -35425,7 +35501,7 @@ index 8eaf51b..16086a5 100644 ######################################## # # CGI local policy -@@ -115,8 +114,9 @@ optional_policy(` +@@ -115,8 +112,9 @@ optional_policy(` # Mail local policy # @@ -35437,7 +35513,7 @@ index 8eaf51b..16086a5 100644 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -@@ -127,8 +127,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t) +@@ -127,8 +125,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_sendrecv_innd_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) @@ -35447,7 +35523,7 @@ index 8eaf51b..16086a5 100644 dev_read_urand(mailman_mail_t) -@@ -142,6 +142,10 @@ optional_policy(` +@@ -142,6 +140,10 @@ optional_policy(` ') optional_policy(` @@ -35458,7 +35534,7 @@ index 8eaf51b..16086a5 100644 cron_read_pipes(mailman_mail_t) ') -@@ -182,3 +186,9 @@ optional_policy(` +@@ -182,3 +184,9 @@ optional_policy(` optional_policy(` su_exec(mailman_queue_t) ') @@ -36083,7 +36159,7 @@ index 9dbe694..f89651e 100644 admin_pattern($1, mcelog_var_run_t) ') diff --git a/mcelog.te b/mcelog.te -index 13ea191..b5fdecf 100644 +index 13ea191..c146d9c 100644 --- a/mcelog.te +++ b/mcelog.te @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) @@ -36115,7 +36191,7 @@ index 13ea191..b5fdecf 100644 - mls_file_read_all_levels(mcelog_t) -+auth_read_passwd(mcelog_t) ++auth_use_nsswitch(mcelog_t) + locallogin_use_fds(mcelog_t) @@ -37715,10 +37791,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..99d4eeb 100644 +index 6ffaba2..154cade 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,66 @@ +@@ -1,38 +1,67 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -37760,6 +37836,7 @@ index 6ffaba2..99d4eeb 100644 +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + +# @@ -37820,7 +37897,7 @@ index 6ffaba2..99d4eeb 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..5fe7031 100644 +index 6194b80..f54f1e8 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -38532,13 +38609,13 @@ index 6194b80..5fe7031 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") -+ #userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "POkemon Advanced Adventure") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS") + userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc") + gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..cfaf593 100644 +index 6a306ee..5222893 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -38982,7 +39059,7 @@ index 6a306ee..cfaf593 100644 ') optional_policy(` -@@ -300,221 +324,181 @@ optional_policy(` +@@ -300,221 +324,182 @@ optional_policy(` ######################################## # @@ -39161,6 +39238,7 @@ index 6a306ee..cfaf593 100644 +corenet_tcp_connect_transproxy_port(mozilla_plugin_t) corenet_tcp_connect_vnc_port(mozilla_plugin_t) -corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) ++corenet_tcp_connect_whois_port(mozilla_plugin_t) +corenet_tcp_bind_generic_node(mozilla_plugin_t) +corenet_udp_bind_generic_node(mozilla_plugin_t) +corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t) @@ -39303,7 +39381,7 @@ index 6a306ee..cfaf593 100644 ') optional_policy(` -@@ -523,36 +507,48 @@ optional_policy(` +@@ -523,36 +508,48 @@ optional_policy(` ') optional_policy(` @@ -39365,7 +39443,7 @@ index 6a306ee..cfaf593 100644 ') optional_policy(` -@@ -560,7 +556,7 @@ optional_policy(` +@@ -560,7 +557,7 @@ optional_policy(` ') optional_policy(` @@ -39374,7 +39452,7 @@ index 6a306ee..cfaf593 100644 ') optional_policy(` -@@ -568,108 +564,118 @@ optional_policy(` +@@ -568,108 +565,118 @@ optional_policy(` ') optional_policy(` @@ -42132,7 +42210,7 @@ index 97370e4..27d3100 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index c48dc17..43f60de 100644 +index c48dc17..f93fa69 100644 --- a/mysql.fc +++ b/mysql.fc @@ -1,11 +1,24 @@ @@ -42183,7 +42261,8 @@ index c48dc17..43f60de 100644 +/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) - /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) +-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) ++/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0) -/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) @@ -42722,7 +42801,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..2b85b52 100644 +index 9f6179e..5f38792 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -42773,7 +42852,7 @@ index 9f6179e..2b85b52 100644 type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) -@@ -62,26 +59,26 @@ files_pid_file(mysqlmanagerd_var_run_t) +@@ -62,27 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t) # Local policy # @@ -42804,11 +42883,15 @@ index 9f6179e..2b85b52 100644 +allow mysqld_t mysqld_etc_t:dir list_dir_perms; -allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -+allow mysqld_t mysqld_log_t:file manage_file_perms; - logging_log_filetrans(mysqld_t, mysqld_log_t, file) +-logging_log_filetrans(mysqld_t, mysqld_log_t, file) ++manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) ++logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -93,50 +90,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -93,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -42880,7 +42963,7 @@ index 9f6179e..2b85b52 100644 ') optional_policy(` -@@ -144,6 +145,10 @@ optional_policy(` +@@ -144,6 +147,10 @@ optional_policy(` ') optional_policy(` @@ -42891,7 +42974,7 @@ index 9f6179e..2b85b52 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -153,29 +158,22 @@ optional_policy(` +@@ -153,29 +160,22 @@ optional_policy(` ####################################### # @@ -42926,7 +43009,7 @@ index 9f6179e..2b85b52 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,17 +185,21 @@ dev_list_sysfs(mysqld_safe_t) +@@ -187,17 +187,21 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -42954,7 +43037,7 @@ index 9f6179e..2b85b52 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +207,7 @@ optional_policy(` +@@ -205,7 +209,7 @@ optional_policy(` ######################################## # @@ -42963,7 +43046,7 @@ index 9f6179e..2b85b52 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +216,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +218,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -42981,7 +43064,7 @@ index 9f6179e..2b85b52 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +229,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +231,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -43243,10 +43326,10 @@ index 0000000..90129ac + mysql_tcp_connect(httpd_mythtv_script_t) +') diff --git a/nagios.fc b/nagios.fc -index d78dfc3..9590368 100644 +index d78dfc3..a00cc2d 100644 --- a/nagios.fc +++ b/nagios.fc -@@ -1,88 +1,93 @@ +@@ -1,88 +1,97 @@ -/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) @@ -43379,12 +43462,15 @@ index d78dfc3..9590368 100644 +/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) -+# label all nagios plugin as unconfined by default -+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) ++# openshift plugins ++/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) ++/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) -/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -- ++# label all nagios plugin as unconfined by default ++/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) + -/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) -/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) - @@ -43631,7 +43717,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 44ad3b7..d731adf 100644 +index 44ad3b7..c738393 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -43643,7 +43729,25 @@ index 44ad3b7..d731adf 100644 type nagios_var_lib_t; files_type(nagios_var_lib_t) -@@ -63,19 +63,20 @@ files_pid_file(nrpe_var_run_t) +@@ -39,6 +39,7 @@ nagios_plugin_template(services) + nagios_plugin_template(system) + nagios_plugin_template(unconfined) + nagios_plugin_template(eventhandler) ++nagios_plugin_template(openshift) + + type nagios_eventhandler_plugin_tmp_t; + files_tmp_file(nagios_eventhandler_plugin_tmp_t) +@@ -46,6 +47,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t) + type nagios_system_plugin_tmp_t; + files_tmp_file(nagios_system_plugin_tmp_t) + ++type nagios_openshift_plugin_tmp_t; ++files_tmp_file(nagios_openshift_plugin_tmp_t) ++ + type nrpe_t; + type nrpe_exec_t; + init_daemon_domain(nrpe_t, nrpe_exec_t) +@@ -63,19 +67,20 @@ files_pid_file(nrpe_var_run_t) allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; @@ -43659,18 +43763,19 @@ index 44ad3b7..d731adf 100644 - dev_read_urand(nagios_plugin_domain) dev_read_rand(nagios_plugin_domain) ++dev_read_sysfs(nagios_plugin_domain) -files_read_usr_files(nagios_plugin_domain) - -miscfiles_read_localization(nagios_plugin_domain) - +- -userdom_use_user_terminals(nagios_plugin_domain) +userdom_use_inherited_user_ptys(nagios_plugin_domain) +userdom_use_inherited_user_ttys(nagios_plugin_domain) ######################################## # -@@ -110,7 +111,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) +@@ -110,7 +115,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) @@ -43680,7 +43785,7 @@ index 44ad3b7..d731adf 100644 manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t) +@@ -123,7 +129,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) @@ -43688,7 +43793,7 @@ index 44ad3b7..d731adf 100644 corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t) +@@ -143,7 +148,6 @@ domain_read_all_domains_state(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -43696,7 +43801,7 @@ index 44ad3b7..d731adf 100644 files_search_spool(nagios_t) fs_getattr_all_fs(nagios_t) -@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t) +@@ -153,8 +157,6 @@ auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) @@ -43705,7 +43810,7 @@ index 44ad3b7..d731adf 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -178,6 +176,7 @@ optional_policy(` +@@ -178,6 +180,7 @@ optional_policy(` # # CGI local policy # @@ -43713,15 +43818,18 @@ index 44ad3b7..d731adf 100644 optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin +@@ -229,9 +232,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) + domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) + ++kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) kernel_read_software_raid_state(nrpe_t) -kernel_read_system_state(nrpe_t) corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t) +@@ -253,7 +256,6 @@ domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) files_read_etc_runtime_files(nrpe_t) @@ -43729,7 +43837,7 @@ index 44ad3b7..d731adf 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t) +@@ -262,8 +264,6 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -43738,7 +43846,7 @@ index 44ad3b7..d731adf 100644 userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -310,15 +310,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -43757,7 +43865,7 @@ index 44ad3b7..d731adf 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,6 +340,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,6 +345,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -43767,7 +43875,7 @@ index 44ad3b7..d731adf 100644 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) -@@ -357,9 +355,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +360,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -43781,7 +43889,7 @@ index 44ad3b7..d731adf 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -391,6 +391,7 @@ optional_policy(` +@@ -391,6 +396,7 @@ optional_policy(` optional_policy(` mysql_stream_connect(nagios_services_plugin_t) @@ -43789,7 +43897,7 @@ index 44ad3b7..d731adf 100644 ') optional_policy(` -@@ -411,6 +412,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -411,6 +417,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -43797,7 +43905,7 @@ index 44ad3b7..d731adf 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +422,10 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,10 +427,10 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -43810,7 +43918,7 @@ index 44ad3b7..d731adf 100644 optional_policy(` init_read_utmp(nagios_system_plugin_t) ') -@@ -442,6 +444,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,11 +449,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -43824,8 +43932,32 @@ index 44ad3b7..d731adf 100644 + ######################################## # - # Unconfined plugin policy -@@ -450,3 +460,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t) +-# Unconfined plugin policy ++# nagios openshift plugin policy ++# ++ ++allow nagios_openshift_plugin_t self:capability sys_ptrace; ++ ++manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t) ++manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t) ++files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir }) ++ ++corecmd_exec_bin(nagios_openshift_plugin_t) ++corecmd_exec_shell(nagios_openshift_plugin_t) ++ ++domain_read_all_domains_state(nagios_openshift_plugin_t) ++ ++fs_getattr_all_fs(nagios_openshift_plugin_t) ++ ++optional_policy(` ++ apache_read_config(nagios_openshift_plugin_t) ++') ++ ++###################################### ++# ++# nagios plugin domain policy + # + optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') @@ -47972,7 +48104,7 @@ index b59196f..017b36f 100644 + files_etc_filetrans($1, ntp_conf_t, dir, "ntp") ') diff --git a/ntp.te b/ntp.te -index b90e343..71042cd 100644 +index b90e343..8369b61 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -47985,7 +48117,18 @@ index b90e343..71042cd 100644 type ntp_conf_t; files_config_file(ntp_conf_t) -@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t) +@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) + + allow ntpd_t ntpd_log_t:dir setattr_dir_perms; +-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) ++manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) + logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) + + manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) +@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -48009,7 +48152,7 @@ index b90e343..71042cd 100644 corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) -@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t) +@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) files_read_etc_runtime_files(ntpd_t) @@ -48026,7 +48169,7 @@ index b90e343..71042cd 100644 auth_use_nsswitch(ntpd_t) -@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t) +@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -50206,10 +50349,10 @@ index 0000000..fdc4a03 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..35f9df0 +index 0000000..c1eed44 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,547 @@ +@@ -0,0 +1,549 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -50651,6 +50794,8 @@ index 0000000..35f9df0 + +kernel_read_system_state(openshift_cgroup_read_t) + ++term_dontaudit_use_generic_ptys(openshift_cgroup_read_t) ++ +miscfiles_read_localization(openshift_cgroup_read_t) + +optional_policy(` @@ -51167,7 +51312,7 @@ index 9b15730..eedd136 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..9d7741b 100644 +index 508fedf..ba9ff22 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ @@ -51190,7 +51335,7 @@ index 508fedf..9d7741b 100644 type openvswitch_var_lib_t; files_type(openvswitch_var_lib_t) -@@ -24,20 +21,26 @@ logging_log_file(openvswitch_log_t) +@@ -24,20 +21,28 @@ logging_log_file(openvswitch_log_t) type openvswitch_var_run_t; files_pid_file(openvswitch_var_run_t) @@ -51206,6 +51351,8 @@ index 508fedf..9d7741b 100644 -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; +allow openvswitch_t self:capability { net_admin ipc_lock sys_nice sys_resource }; ++allow openvswitch_t openvswitch_t : capability { sys_module }; ++allow openvswitch_t openvswitch_t : capability2 { block_suspend }; +allow openvswitch_t self:process { fork setsched setrlimit signal }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; -allow openvswitch_t self:rawip_socket create_socket_perms; @@ -51213,19 +51360,19 @@ index 508fedf..9d7741b 100644 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow openvswitch_t self:netlink_socket create_socket_perms; +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; ++ ++can_exec(openvswitch_t, openvswitch_exec_t) -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -+can_exec(openvswitch_t, openvswitch_exec_t) -+ +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -@@ -45,9 +48,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l +@@ -45,9 +50,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) @@ -51236,7 +51383,7 @@ index 508fedf..9d7741b 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -57,33 +58,34 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -57,33 +60,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -51256,6 +51403,7 @@ index 508fedf..9d7741b 100644 +dev_read_rand(openvswitch_t) dev_read_urand(openvswitch_t) ++dev_read_sysfs(openvswitch_t) domain_use_interactive_fds(openvswitch_t) @@ -51280,6 +51428,9 @@ index 508fedf..9d7741b 100644 iptables_domtrans(openvswitch_t) ') + ++optional_policy(` ++ plymouthd_exec_plymouth(openvswitch_t) ++') diff --git a/pacemaker.fc b/pacemaker.fc index 2f0ad56..d4da0b8 100644 --- a/pacemaker.fc @@ -52037,10 +52188,10 @@ index 96db654..ff3aadd 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..173813f 100644 +index dfd46e4..2f407d6 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,15 @@ +@@ -1,15 +1,16 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) - @@ -52065,6 +52216,7 @@ index dfd46e4..173813f 100644 + +#openlmi agents +/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) diff --git a/pegasus.if b/pegasus.if index d2fc677..ded726f 100644 --- a/pegasus.if @@ -52166,7 +52318,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..fa856e9 100644 +index 7bcf327..c1035d4 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -52190,12 +52342,14 @@ index 7bcf327..fa856e9 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,73 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,115 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) +# pegasus openlmi providers +pegasus_openlmi_domain_template(account) ++pegasus_openlmi_domain_template(logicalfile) ++pegasus_openlmi_domain_template(unconfined) + +####################################### +# @@ -52245,6 +52399,46 @@ index 7bcf327..fa856e9 100644 + # run userdel + usermanage_domtrans_useradd(pegasus_openlmi_account_t) +') ++ ++###################################### ++# ++# pegasus openlmi logicalfile local policy ++# ++ ++allow pegasus_openlmi_logicalfile_t self:capability { setuid setgid dac_override }; ++files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t) ++files_manage_non_security_files(pegasus_openlmi_logicalfile_t) ++ ++dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t) ++dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t) ++ ++files_list_all(pegasus_openlmi_logicalfile_t) ++files_read_all_files(pegasus_openlmi_logicalfile_t) ++files_read_all_symlinks(pegasus_openlmi_logicalfile_t) ++files_read_all_blk_files(pegasus_openlmi_logicalfile_t) ++files_read_all_chr_files(pegasus_openlmi_logicalfile_t) ++files_getattr_all_pipes(pegasus_openlmi_logicalfile_t) ++files_getattr_all_sockets(pegasus_openlmi_logicalfile_t) ++ ++# Add/remove user home directories ++userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t) ++userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t) ++userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t) ++ ++optional_policy(` ++ # it can delete/create empty dirs ++ # so we want to have unconfined_domain attribute for filename rules ++ unconfined_domain(pegasus_openlmi_logicalfile_t) ++') ++ ++###################################### ++# ++# pegasus openlmi unconfined local policy ++# ++ ++optional_policy(` ++ unconfined_domain(pegasus_openlmi_unconfined_t) ++') + ######################################## # @@ -52269,7 +52463,7 @@ index 7bcf327..fa856e9 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +106,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +148,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -52300,7 +52494,7 @@ index 7bcf327..fa856e9 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +132,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +174,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -52333,7 +52527,7 @@ index 7bcf327..fa856e9 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +160,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +202,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -52341,7 +52535,7 @@ index 7bcf327..fa856e9 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +175,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +217,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -52359,21 +52553,21 @@ index 7bcf327..fa856e9 100644 - dbus_connect_system_bus(pegasus_t) + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) - -- optional_policy(` -- networkmanager_dbus_chat(pegasus_t) -- ') ++ + optional_policy(` + networkmanager_dbus_chat(pegasus_t) + ') +') -+ + +- optional_policy(` +- networkmanager_dbus_chat(pegasus_t) +- ') +optional_policy(` + rhcs_stream_connect_cluster(pegasus_t) ') optional_policy(` -@@ -151,16 +205,23 @@ optional_policy(` +@@ -151,16 +247,23 @@ optional_policy(` ') optional_policy(` @@ -52401,7 +52595,7 @@ index 7bcf327..fa856e9 100644 ') optional_policy(` -@@ -168,7 +229,7 @@ optional_policy(` +@@ -168,7 +271,7 @@ optional_policy(` ') optional_policy(` @@ -53579,12 +53773,13 @@ index 0000000..0c167b7 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..6329c9c +index 0000000..898a5e8 --- /dev/null +++ b/pki.if -@@ -0,0 +1,273 @@ +@@ -0,0 +1,292 @@ + +## policy for pki ++ +######################################## +## +## Allow read and write pki cert files. @@ -53607,6 +53802,24 @@ index 0000000..6329c9c + +######################################## +## ++## Allow domain to read pki cert files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_read_tomcat_cert',` ++ gen_require(` ++ type pki_tomcat_cert_t; ++ ') ++ ++ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ++') ++ ++######################################## ++## +## Create a set of derived types for apache +## web content. +## @@ -59833,6 +60046,346 @@ index d447152..a911295 100644 sendmail_domtrans(procmail_t) sendmail_signal(procmail_t) sendmail_dontaudit_rw_tcp_sockets(procmail_t) +diff --git a/prosody.fc b/prosody.fc +new file mode 100644 +index 0000000..96a0d9f +--- /dev/null ++++ b/prosody.fc +@@ -0,0 +1,8 @@ ++/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0) ++/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0) ++ ++/usr/lib/systemd/system/prosody.service -- gen_context(system_u:object_r:prosody_unit_file_t,s0) ++ ++/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0) ++ ++/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0) +diff --git a/prosody.if b/prosody.if +new file mode 100644 +index 0000000..8867237 +--- /dev/null ++++ b/prosody.if +@@ -0,0 +1,239 @@ ++ ++## policy for prosody ++ ++######################################## ++## ++## Execute TEMPLATE in the prosody domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`prosody_domtrans',` ++ gen_require(` ++ type prosody_t, prosody_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, prosody_exec_t, prosody_t) ++') ++ ++######################################## ++## ++## Search prosody lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_search_lib',` ++ gen_require(` ++ type prosody_var_lib_t; ++ ') ++ ++ allow $1 prosody_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read prosody lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_read_lib_files',` ++ gen_require(` ++ type prosody_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t) ++') ++ ++######################################## ++## ++## Manage prosody lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_manage_lib_files',` ++ gen_require(` ++ type prosody_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t) ++') ++ ++######################################## ++## ++## Manage prosody lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_manage_lib_dirs',` ++ gen_require(` ++ type prosody_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t) ++') ++ ++######################################## ++## ++## Read prosody PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_read_pid_files',` ++ gen_require(` ++ type prosody_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, prosody_var_run_t, prosody_var_run_t) ++') ++ ++######################################## ++## ++## Execute prosody server in the prosody domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`prosody_systemctl',` ++ gen_require(` ++ type prosody_t; ++ type prosody_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 prosody_unit_file_t:file read_file_perms; ++ allow $1 prosody_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, prosody_t) ++') ++ ++ ++######################################## ++## ++## Execute prosody in the prosody domain, and ++## allow the specified role the prosody domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the prosody domain. ++## ++## ++# ++interface(`prosody_run',` ++ gen_require(` ++ type prosody_t; ++ attribute_role prosody_roles; ++ ') ++ ++ prosody_domtrans($1) ++ roleattribute $2 prosody_roles; ++') ++ ++######################################## ++## ++## Role access for prosody ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`prosody_role',` ++ gen_require(` ++ type prosody_t; ++ attribute_role prosody_roles; ++ ') ++ ++ roleattribute $1 prosody_roles; ++ ++ prosody_domtrans($2) ++ ++ ps_process_pattern($2, prosody_t) ++ allow $2 prosody_t:process { signull signal sigkill }; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an prosody environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`prosody_admin',` ++ gen_require(` ++ type prosody_t; ++ type prosody_var_lib_t; ++ type prosody_var_run_t; ++ type prosody_unit_file_t; ++ ') ++ ++ allow $1 prosody_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, prosody_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, prosody_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, prosody_var_run_t) ++ ++ prosody_systemctl($1) ++ admin_pattern($1, prosody_unit_file_t) ++ allow $1 prosody_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/prosody.te b/prosody.te +new file mode 100644 +index 0000000..4f6badd +--- /dev/null ++++ b/prosody.te +@@ -0,0 +1,75 @@ ++policy_module(prosody, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

++## Permit to prosody to bind apache port. ++## Need to be activated to use BOSH. ++##

++##
++gen_tunable(prosody_bind_http_port, false) ++ ++type prosody_t; ++type prosody_exec_t; ++init_daemon_domain(prosody_t, prosody_exec_t) ++ ++type prosody_var_lib_t; ++files_type(prosody_var_lib_t) ++ ++type prosody_var_run_t; ++files_pid_file(prosody_var_run_t) ++ ++type prosody_unit_file_t; ++systemd_unit_file(prosody_unit_file_t) ++ ++######################################## ++# ++# prosody local policy ++# ++allow prosody_t self:capability { setuid setgid }; ++allow prosody_t self:process signal_perms; ++allow prosody_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) ++manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) ++manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t) ++files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) ++manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) ++manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t) ++files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file }) ++ ++can_exec(prosody_t, prosody_exec_t) ++ ++kernel_read_system_state(prosody_t) ++ ++corecmd_exec_bin(prosody_t) ++corecmd_exec_shell(prosody_t) ++ ++corenet_udp_bind_generic_node(prosody_t) ++corenet_tcp_connect_jabber_interserver_port(prosody_t) ++corenet_tcp_connect_jabber_client_port(prosody_t) ++corenet_tcp_bind_jabber_client_port(prosody_t) ++corenet_tcp_bind_jabber_interserver_port(prosody_t) ++corenet_tcp_bind_jabber_router_port(prosody_t) ++tunable_policy(`prosody_bind_http_port',` ++ corenet_tcp_bind_http_port(prosody_t) ++') ++ ++dev_read_urand(prosody_t) ++ ++domain_use_interactive_fds(prosody_t) ++ ++files_read_etc_files(prosody_t) ++ ++auth_use_nsswitch(prosody_t) ++sysnet_read_config(prosody_t) ++ ++logging_send_syslog_msg(prosody_t) ++ ++miscfiles_read_localization(prosody_t) diff --git a/psad.if b/psad.if index d4dcf78..59ab964 100644 --- a/psad.if @@ -69907,7 +70460,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..df782bf 100644 +index e5212e6..4fb05d7 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -70118,7 +70671,7 @@ index e5212e6..df782bf 100644 ') ######################################## -@@ -195,41 +141,56 @@ optional_policy(` +@@ -195,41 +141,57 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -70146,6 +70699,7 @@ index e5212e6..df782bf 100644 - -corecmd_exec_shell(nfsd_t) +corenet_udp_bind_mountd_port(nfsd_t) ++corenet_tcp_bind_mountd_port(nfsd_t) dev_dontaudit_getattr_all_blk_files(nfsd_t) dev_dontaudit_getattr_all_chr_files(nfsd_t) @@ -70182,7 +70736,7 @@ index e5212e6..df782bf 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +200,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -70190,7 +70744,7 @@ index e5212e6..df782bf 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +211,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -70205,7 +70759,7 @@ index e5212e6..df782bf 100644 ') ######################################## -@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -271,6 +232,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -70213,7 +70767,7 @@ index e5212e6..df782bf 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -279,25 +240,29 @@ kernel_signal(gssd_t) +@@ -279,25 +241,29 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -70246,7 +70800,7 @@ index e5212e6..df782bf 100644 ') optional_policy(` -@@ -306,8 +271,11 @@ optional_policy(` +@@ -306,8 +272,11 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) @@ -75111,10 +75665,10 @@ index 0000000..5da5bff +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..5021551 +index 0000000..ce3ac47 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,467 @@ +@@ -0,0 +1,481 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -75463,21 +76017,35 @@ index 0000000..5021551 +corenet_tcp_sendrecv_squid_port(sandbox_web_type) +corenet_tcp_sendrecv_ftp_port(sandbox_web_type) +corenet_tcp_sendrecv_ipp_port(sandbox_web_type) -+corenet_tcp_connect_http_port(sandbox_web_type) -+corenet_tcp_connect_http_cache_port(sandbox_web_type) -+corenet_tcp_connect_squid_port(sandbox_web_type) ++corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type) ++corenet_tcp_connect_aol_port(sandbox_web_type) ++corenet_tcp_connect_asterisk_port(sandbox_web_type) ++corenet_tcp_connect_commplex_link_port(sandbox_web_type) ++corenet_tcp_connect_couchdb_port(sandbox_web_type) +corenet_tcp_connect_flash_port(sandbox_web_type) +corenet_tcp_connect_ftp_port(sandbox_web_type) -+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type) -+corenet_tcp_connect_ipp_port(sandbox_web_type) -+corenet_tcp_connect_ms_streaming_port(sandbox_web_type) -+corenet_tcp_connect_rtsp_port(sandbox_web_type) -+corenet_tcp_connect_pulseaudio_port(sandbox_web_type) -+corenet_tcp_connect_tor_port(sandbox_web_type) -+corenet_tcp_connect_speech_port(sandbox_web_type) ++corenet_tcp_connect_gatekeeper_port(sandbox_web_type) +corenet_tcp_connect_generic_port(sandbox_web_type) ++corenet_tcp_connect_http_cache_port(sandbox_web_type) ++corenet_tcp_connect_http_port(sandbox_web_type) ++corenet_tcp_connect_ipp_port(sandbox_web_type) ++corenet_tcp_connect_ipsecnat_port(sandbox_web_type) ++corenet_tcp_connect_ircd_port(sandbox_web_type) ++corenet_tcp_connect_jabber_client_port(sandbox_web_type) ++corenet_tcp_connect_jboss_management_port(sandbox_web_type) ++corenet_tcp_connect_mmcc_port(sandbox_web_type) ++corenet_tcp_connect_monopd_port(sandbox_web_type) ++corenet_tcp_connect_msnp_port(sandbox_web_type) ++corenet_tcp_connect_ms_streaming_port(sandbox_web_type) ++corenet_tcp_connect_pulseaudio_port(sandbox_web_type) ++corenet_tcp_connect_rtsp_port(sandbox_web_type) +corenet_tcp_connect_soundd_port(sandbox_web_type) +corenet_tcp_connect_speech_port(sandbox_web_type) ++corenet_tcp_connect_squid_port(sandbox_web_type) ++corenet_tcp_connect_tor_port(sandbox_web_type) ++corenet_tcp_connect_transproxy_port(sandbox_web_type) ++corenet_tcp_connect_vnc_port(sandbox_web_type) ++corenet_tcp_connect_whois_port(sandbox_web_type) +corenet_sendrecv_http_client_packets(sandbox_web_type) +corenet_sendrecv_http_cache_client_packets(sandbox_web_type) +corenet_sendrecv_squid_client_packets(sandbox_web_type) @@ -79361,7 +79929,7 @@ index 7d86b34..5f58180 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index ccd28bb..b9e856e 100644 +index ccd28bb..80106ac 100644 --- a/snort.te +++ b/snort.te @@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t) @@ -79387,7 +79955,7 @@ index ccd28bb..b9e856e 100644 corenet_all_recvfrom_netlabel(snort_t) corenet_tcp_sendrecv_generic_if(snort_t) corenet_udp_sendrecv_generic_if(snort_t) -@@ -86,7 +88,6 @@ dev_rw_generic_usb_dev(snort_t) +@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t) domain_use_interactive_fds(snort_t) @@ -79395,7 +79963,11 @@ index ccd28bb..b9e856e 100644 files_dontaudit_read_etc_runtime_files(snort_t) fs_getattr_all_fs(snort_t) -@@ -96,8 +97,6 @@ init_read_utmp(snort_t) + fs_search_auto_mountpoints(snort_t) + ++auth_read_passwd(snort_t) ++ + init_read_utmp(snort_t) logging_send_syslog_msg(snort_t) @@ -79512,16 +80084,18 @@ index db1bc6f..b6c0d16 100644 userdom_dontaudit_use_unpriv_user_fds(soundd_t) diff --git a/spamassassin.fc b/spamassassin.fc -index e9bd097..80c9e56 100644 +index e9bd097..e059e27 100644 --- a/spamassassin.fc +++ b/spamassassin.fc -@@ -1,20 +1,24 @@ +@@ -1,20 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) -HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -79548,7 +80122,7 @@ index e9bd097..80c9e56 100644 /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) /var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) -@@ -25,7 +29,25 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) +@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) @@ -79559,9 +80133,6 @@ index e9bd097..80c9e56 100644 /var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + -+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) -+ +/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0) +/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0) +/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) @@ -79577,7 +80148,7 @@ index e9bd097..80c9e56 100644 +/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) diff --git a/spamassassin.if b/spamassassin.if -index 1499b0b..3052bd2 100644 +index 1499b0b..6950cab 100644 --- a/spamassassin.if +++ b/spamassassin.if @@ -2,39 +2,45 @@ @@ -79929,7 +80500,7 @@ index 1499b0b..3052bd2 100644 ##
## ## -@@ -348,19 +323,60 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` +@@ -348,19 +323,62 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` ## ## # @@ -79963,6 +80534,7 @@ index 1499b0b..3052bd2 100644 + userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") + userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") + userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") ++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor") +') + +###################################### @@ -79983,6 +80555,7 @@ index 1499b0b..3052bd2 100644 + userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") + userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") + userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor") +') + + @@ -79995,7 +80568,7 @@ index 1499b0b..3052bd2 100644 ##
## ## -@@ -369,20 +385,22 @@ interface(`spamassassin_stream_connect_spamd',` +@@ -369,20 +387,22 @@ interface(`spamassassin_stream_connect_spamd',` ## ## ## @@ -80022,7 +80595,7 @@ index 1499b0b..3052bd2 100644 init_labeled_script_domtrans($1, spamd_initrc_exec_t) domain_system_change_exemption($1) -@@ -403,6 +421,4 @@ interface(`spamassassin_admin',` +@@ -403,6 +423,4 @@ interface(`spamassassin_admin',` files_list_pids($1) admin_pattern($1, spamd_var_run_t) @@ -82647,10 +83220,10 @@ index ac8213a..20fa71f 100644 - -miscfiles_read_localization(tcsd_t) diff --git a/telepathy.fc b/telepathy.fc -index c7de0cf..a275bd6 100644 +index c7de0cf..9813503 100644 --- a/telepathy.fc +++ b/telepathy.fc -@@ -1,34 +1,21 @@ +@@ -1,34 +1,22 @@ -HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0) +HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) @@ -82700,6 +83273,7 @@ index c7de0cf..a275bd6 100644 +/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0) +/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0) +/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) ++/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0) +/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0) +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/telepathy.if b/telepathy.if @@ -84793,7 +85367,7 @@ index 67ca5c5..a1ef2d2 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index a4a949c..0ac90ac 100644 +index a4a949c..e56b59e 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3) @@ -84861,11 +85435,12 @@ index a4a949c..0ac90ac 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -69,7 +78,19 @@ optional_policy(` +@@ -69,7 +78,20 @@ optional_policy(` ') optional_policy(` - lpd_manage_spool(tmpreaper_t) ++ lpd_list_spool(tmpreaper_t) + lpd_read_spool(tmpreaper_t) +') + @@ -94273,10 +94848,10 @@ index b0803c2..13da3cf 100644 +') diff --git a/zoneminder.fc b/zoneminder.fc new file mode 100644 -index 0000000..e1602ec +index 0000000..a468da3 --- /dev/null +++ b/zoneminder.fc -@@ -0,0 +1,24 @@ +@@ -0,0 +1,26 @@ +/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) + +/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0) @@ -94285,6 +94860,8 @@ index 0000000..e1602ec + +/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0) + ++/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0) ++ +/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0) + +/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0) @@ -94646,10 +95223,10 @@ index 0000000..c72a70d + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 0000000..67b461b +index 0000000..bdb821a --- /dev/null +++ b/zoneminder.te -@@ -0,0 +1,121 @@ +@@ -0,0 +1,174 @@ +policy_module(zoneminder, 1.0.0) + +######################################## @@ -94659,16 +95236,31 @@ index 0000000..67b461b + +## +##

++## Allow ZoneMinder to run su/sudo. ++##

++##
++gen_tunable(zoneminder_run_sudo, false) ++ ++ ++## ++##

+## Allow ZoneMinder to modify public files +## used for public file transfer services. +##

+##
+gen_tunable(zoneminder_anon_write, false) + ++gen_require(` ++ class passwd rootok; ++ ') ++ +type zoneminder_t; +type zoneminder_exec_t; +init_daemon_domain(zoneminder_t, zoneminder_exec_t) + ++type zoneminder_unit_file_t; ++systemd_unit_file(zoneminder_unit_file_t) ++ +type zoneminder_initrc_exec_t; +init_script_file(zoneminder_initrc_exec_t) + @@ -94709,7 +95301,8 @@ index 0000000..67b461b +manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) +manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) -+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file }) ++manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file }) + +manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) +manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t) @@ -94722,6 +95315,8 @@ index 0000000..67b461b + +kernel_read_system_state(zoneminder_t) + ++domain_read_all_domains_state(zoneminder_t) ++ +corecmd_exec_bin(zoneminder_t) +corecmd_exec_shell(zoneminder_t) + @@ -94735,15 +95330,45 @@ index 0000000..67b461b +dev_read_video_dev(zoneminder_t) +dev_write_video_dev(zoneminder_t) + -+ +auth_use_nsswitch(zoneminder_t) + +logging_send_syslog_msg(zoneminder_t) ++logging_send_audit_msgs(zoneminder_t) ++ ++mta_send_mail(zoneminder_t) + +tunable_policy(`zoneminder_anon_write',` + miscfiles_manage_public_files(zoneminder_t) +') + ++tunable_policy(`zoneminder_run_sudo',` ++ allow zoneminder_t self:capability { setuid setgid sys_resource }; ++ allow zoneminder_t self:process { setrlimit setsched }; ++ allow zoneminder_t self:key write; ++ allow zoneminder_t self:passwd rootok; ++ ++ auth_rw_lastlog(zoneminder_t) ++ ++ selinux_compute_access_vector(zoneminder_t) ++ ++ systemd_write_inherited_logind_sessions_pipes(zoneminder_t) ++ systemd_dbus_chat_logind(zoneminder_t) ++ ++ xserver_exec_xauth(zoneminder_t) ++') ++ ++optional_policy(` ++ tunable_policy(`zoneminder_run_sudo',` ++ dbus_system_bus_client(zoneminder_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`zoneminder_run_sudo',` ++ sudo_exec(zoneminder_t) ++ su_exec(zoneminder_t) ++ ') ++') +optional_policy(` + mysql_stream_connect(zoneminder_t) +') @@ -94760,7 +95385,12 @@ index 0000000..67b461b + #allow httpd_zoneminder_script_t self:shm create_shm_perms; + + manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t) ++ ++ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t) ++ + zoneminder_stream_connect(httpd_zoneminder_script_t) ++ ++ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t) + + files_search_var_lib(httpd_zoneminder_script_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index eddfbfca..2fcda059 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 58%{?dist} +Release: 59%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,47 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jul 3 2013 Miroslav Grepl 3.12.1-59 +- Add prosody policy written by Michael Scherer +- Allow nagios plugins to read /sys info +- ntpd needs to manage own log files +- Add support for HOME_DIR/.IBMERS +- Allow iptables commands to read firewalld config +- Allow consolekit_t to read utmp +- Fix filename transitions on .razor directory +- Add additional fixes to make DSPAM with LDA working +- Allow snort to read /etc/passwd +- Allow fail2ban to communicate with firewalld over dbus +- Dontaudit openshift_cgreoup_file_t read/write leaked dev +- Allow nfsd to use mountd port +- Call th proper interface +- Allow openvswitch to read sys and execute plymouth +- Allow tmpwatch to read /var/spool/cups/tmp +- Add support for /usr/libexec/telepathy-rakia +- Add systemd support for zoneminder +- Allow mysql to create files/directories under /var/log/mysql +- Allow zoneminder apache scripts to rw zoneminder tmpfs +- Allow httpd to manage zoneminder lib files +- Add zoneminder_run_sudo boolean to allow to start zoneminder +- Allow zoneminder to send mails +- gssproxy_t sock_file can be under /var/lib +- Allow web domains to connect to whois port. +- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. +- We really need to add an interface to corenet to define what a web_client_domain is and +- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain. +- Add labeling for cmpiLMI_LogicalFile-cimprovagt +- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules +- Update policy rules for pegasus_openlmi_logicalfile_t +- Add initial types for logicalfile/unconfined OpenLMI providers +- mailmanctl needs to read own log +- Allow logwatch manage own lock files +- Allow nrpe to read meminfo +- Allow httpd to read certs located in pki-ca +- Add pki_read_tomcat_cert() interface +- Add support for nagios openshift plugins +- Add port definition for redis port +- fix selinuxuser_use_ssh_chroot boolean + * Fri Jun 28 2013 Miroslav Grepl 3.12.1-58 - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. - Allow bootloader to manage generic log files