- Allow httpd_t to connect to osapi_compute port using httpd_use_openstac

- Fixes for dlm_controld
- Fix apache_read_sys_content_rw_dirs() interface
- Allow logrotate to read /var/log/z-push dir
- Allow postfix_postdrop to acces postfix_public socket
- Allow sched_setscheduler for cupsd_t
- Add missing context for /usr/sbin/snmpd
- Allow consolehelper more access discovered by Tom London
- Allow fsdaemon to send signull to all domain
- Add port definition for osapi_compute port
- Allow unconfined to create /etc/hostname with correct labeling
- Add systemd_filetrans_named_hostname() interface
This commit is contained in:
Miroslav Grepl 2013-04-08 14:05:50 +02:00
parent a48e548c78
commit d8b4fa387f
3 changed files with 202 additions and 108 deletions

View File

@ -5074,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 4edc40d..fba95c8 100644
index 4edc40d..a69e038 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5259,7 +5259,7 @@ index 4edc40d..fba95c8 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
@@ -188,13 +220,13 @@ network_port(mysqlmanagerd, tcp,2273,s0)
@@ -188,21 +220,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@ -5276,7 +5276,9 @@ index 4edc40d..fba95c8 100644
network_port(ocsp, tcp,9080,s0)
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
@@ -203,6 +235,12 @@ network_port(pegasus_http, tcp,5988,s0)
+network_port(osapi_compute, tcp, 8774, s0)
network_port(pdps, tcp,1314,s0, udp,1314,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@ -5289,7 +5291,7 @@ index 4edc40d..fba95c8 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
@@ -214,38 +252,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
@@ -214,38 +253,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@ -5337,7 +5339,7 @@ index 4edc40d..fba95c8 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
@@ -257,8 +298,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
@@ -257,8 +299,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@ -5348,7 +5350,7 @@ index 4edc40d..fba95c8 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
@@ -268,10 +310,10 @@ network_port(varnishd, tcp,6081-6082,s0)
@@ -268,10 +311,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@ -5361,7 +5363,7 @@ index 4edc40d..fba95c8 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
@@ -292,12 +334,16 @@ network_port(zope, tcp,8021,s0)
@@ -292,12 +335,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@ -5380,7 +5382,7 @@ index 4edc40d..fba95c8 100644
########################################
#
@@ -330,6 +376,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
@@ -330,6 +377,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@ -5389,7 +5391,7 @@ index 4edc40d..fba95c8 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
@@ -342,9 +390,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
@@ -342,9 +391,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@ -7747,7 +7749,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..274ef6d 100644
index cf04cb5..dc4207f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -7873,7 +7875,7 @@ index cf04cb5..274ef6d 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -166,5 +227,265 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@ -8014,6 +8016,7 @@ index cf04cb5..274ef6d 100644
+ systemd_login_reboot(unconfined_domain_type)
+ systemd_login_halt(unconfined_domain_type)
+ systemd_login_undefined(unconfined_domain_type)
+ systemd_filetrans_named_hostname(unconfined_domain_type)
+')
+
+optional_policy(`
@ -35717,10 +35720,10 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..2927875
index 0000000..16c7767
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,1103 @@
@@ -0,0 +1,1122 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@ -36574,6 +36577,25 @@ index 0000000..2927875
+
+########################################
+## <summary>
+## Transition to systemd named content for /etc/hostname
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_filetrans_named_hostname',`
+ gen_require(`
+ type hostname_etc_t;
+ ')
+
+ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
+ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
+')
+
+########################################
+## <summary>
+## Get the system status information from systemd_login
+## </summary>
+## <param name="domain">

View File

@ -3048,7 +3048,7 @@ index 550a69e..78579c0 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index 83e899c..e3bed6a 100644
index 83e899c..c0ece1b 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@ -3865,7 +3865,7 @@ index 83e899c..e3bed6a 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
@@ -855,32 +922,78 @@ interface(`apache_manage_sys_content',`
@@ -855,32 +922,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@ -3890,6 +3890,26 @@ index 83e899c..e3bed6a 100644
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read
+## apache system content rw dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_dirs',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
## <summary>
-## Create, read, write, and delete
@ -3952,7 +3972,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -888,10 +1001,17 @@ interface(`apache_manage_sys_rw_content',`
@@ -888,10 +1021,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
@ -3971,7 +3991,7 @@ index 83e899c..e3bed6a 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
@@ -901,9 +1021,8 @@ interface(`apache_domtrans_sys_script',`
@@ -901,9 +1041,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
@ -3983,7 +4003,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -941,7 +1060,7 @@ interface(`apache_domtrans_all_scripts',`
@@ -941,7 +1080,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
@ -3992,7 +4012,7 @@ index 83e899c..e3bed6a 100644
## to the specified role.
## </summary>
## <param name="domain">
@@ -954,6 +1073,7 @@ interface(`apache_domtrans_all_scripts',`
@@ -954,6 +1093,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
@ -4000,7 +4020,7 @@ index 83e899c..e3bed6a 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
@@ -966,7 +1086,8 @@ interface(`apache_run_all_scripts',`
@@ -966,7 +1106,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
@ -4010,7 +4030,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -979,12 +1100,13 @@ interface(`apache_read_squirrelmail_data',`
@@ -979,12 +1120,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@ -4026,7 +4046,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1002,7 +1124,7 @@ interface(`apache_append_squirrelmail_data',`
@@ -1002,7 +1144,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
@ -4035,7 +4055,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1015,13 +1137,12 @@ interface(`apache_search_sys_content',`
@@ -1015,13 +1157,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@ -4050,7 +4070,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1041,7 +1162,7 @@ interface(`apache_read_sys_content',`
@@ -1041,7 +1182,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
@ -4059,7 +4079,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1059,8 +1180,7 @@ interface(`apache_search_sys_scripts',`
@@ -1059,8 +1200,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
@ -4069,7 +4089,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1070,13 +1190,22 @@ interface(`apache_search_sys_scripts',`
@@ -1070,13 +1210,22 @@ interface(`apache_search_sys_scripts',`
## <rolecap/>
#
interface(`apache_manage_all_user_content',`
@ -4095,7 +4115,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1094,7 +1223,8 @@ interface(`apache_search_sys_script_state',`
@@ -1094,7 +1243,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@ -4105,7 +4125,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1111,10 +1241,29 @@ interface(`apache_read_tmp_files',`
@@ -1111,10 +1261,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@ -4137,7 +4157,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1127,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
@@ -1127,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@ -4146,7 +4166,7 @@ index 83e899c..e3bed6a 100644
')
########################################
@@ -1136,6 +1285,9 @@ interface(`apache_dontaudit_write_tmp_files',`
@@ -1136,6 +1305,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@ -4156,7 +4176,7 @@ index 83e899c..e3bed6a 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
@@ -1165,8 +1317,30 @@ interface(`apache_cgi_domain',`
@@ -1165,8 +1337,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@ -4189,7 +4209,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1183,18 +1357,19 @@ interface(`apache_cgi_domain',`
@@ -1183,18 +1377,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@ -4218,7 +4238,7 @@ index 83e899c..e3bed6a 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
@@ -1204,10 +1379,10 @@ interface(`apache_admin',`
@@ -1204,10 +1399,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@ -4232,7 +4252,7 @@ index 83e899c..e3bed6a 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
@@ -1218,9 +1393,129 @@ interface(`apache_admin',`
@@ -1218,9 +1413,129 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@ -4367,7 +4387,7 @@ index 83e899c..e3bed6a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 1a82e29..5e167ca 100644
index 1a82e29..dfaef83 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,353 @@
@ -6034,13 +6054,13 @@ index 1a82e29..5e167ca 100644
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
+allow httpd_sys_script_t self:process getsched;
-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
-
+allow httpd_sys_script_t self:process getsched;
-corecmd_exec_all_executables(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@ -6173,8 +6193,7 @@ index 1a82e29..5e167ca 100644
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -6204,7 +6223,8 @@ index 1a82e29..5e167ca 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@ -6417,7 +6437,7 @@ index 1a82e29..5e167ca 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t)
@@ -1376,38 +1501,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@ -6435,23 +6455,33 @@ index 1a82e29..5e167ca 100644
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
+
-allow httpd_gpg_t self:process setrlimit;
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
+
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
+
-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
+
-miscfiles_read_localization(httpd_gpg_t)
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
+
-tunable_policy(`httpd_gpg_anon_write',`
- miscfiles_manage_public_files(httpd_gpg_t)
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
@ -6466,34 +6496,24 @@ index 1a82e29..5e167ca 100644
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
-allow httpd_gpg_t self:process setrlimit;
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
-allow httpd_gpg_t httpd_t:fd use;
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
-allow httpd_gpg_t httpd_t:process sigchld;
+
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-dev_read_rand(httpd_gpg_t)
-dev_read_urand(httpd_gpg_t)
+
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-files_read_usr_files(httpd_gpg_t)
+
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-miscfiles_read_localization(httpd_gpg_t)
+
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
-tunable_policy(`httpd_gpg_anon_write',`
- miscfiles_manage_public_files(httpd_gpg_t)
+
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+
+fs_getattr_xattr_fs(httpd_script_type)
@ -6531,6 +6551,11 @@ index 1a82e29..5e167ca 100644
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_openstack',`
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13..2da2368 100644
@ -9565,10 +9590,10 @@ index 0c53b18..ef29f6e 100644
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
index bf82163..5397bb9 100644
index bf82163..2b571c7 100644
--- a/certmaster.te
+++ b/certmaster.te
@@ -65,11 +65,8 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
files_list_var(certmaster_t)
@ -9580,6 +9605,8 @@ index bf82163..5397bb9 100644
-miscfiles_read_localization(certmaster_t)
miscfiles_manage_generic_cert_dirs(certmaster_t)
miscfiles_manage_generic_cert_files(certmaster_t)
+
+mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8..cd8eb4d 100644
--- a/certmonger.fc
@ -16063,7 +16090,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
index 9f34c2e..3b03f21 100644
index 9f34c2e..fb69e2c 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@ -16160,8 +16187,8 @@ index 9f34c2e..3b03f21 100644
+# Cups general local policy
+#
+
+allow cups_domain self:capability { setuid setgid };
+allow cups_domain self:process signal_perms;
+allow cups_domain self:capability { setuid setgid sys_nice };
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+
@ -32942,7 +32969,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
index 7bab8e5..ed36684 100644
index 7bab8e5..3baae66 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,18 @@
@ -33126,7 +33153,13 @@ index 7bab8e5..ed36684 100644
')
optional_policy(`
@@ -140,11 +159,11 @@ optional_policy(`
@@ -135,16 +154,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
+ apache_read_sys_content_rw_dirs(logrotate_t)
apache_domtrans(logrotate_t)
apache_signull(logrotate_t)
')
optional_policy(`
@ -33140,7 +33173,7 @@ index 7bab8e5..ed36684 100644
')
optional_policy(`
@@ -178,7 +197,7 @@ optional_policy(`
@@ -178,7 +198,7 @@ optional_policy(`
')
optional_policy(`
@ -33149,7 +33182,7 @@ index 7bab8e5..ed36684 100644
')
optional_policy(`
@@ -198,21 +217,22 @@ optional_policy(`
@@ -198,21 +218,22 @@ optional_policy(`
')
optional_policy(`
@ -33176,7 +33209,7 @@ index 7bab8e5..ed36684 100644
')
optional_policy(`
@@ -228,10 +248,20 @@ optional_policy(`
@@ -228,10 +249,20 @@ optional_policy(`
')
optional_policy(`
@ -33197,7 +33230,7 @@ index 7bab8e5..ed36684 100644
su_exec(logrotate_t)
')
@@ -241,13 +271,11 @@ optional_policy(`
@@ -241,13 +272,11 @@ optional_policy(`
#######################################
#
@ -54684,7 +54717,7 @@ index 2e23946..41da729 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
index 191a66f..b11469c 100644
index 191a66f..7ceaec2 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@ -55284,7 +55317,7 @@ index 191a66f..b11469c 100644
#
allow postfix_pipe_t self:process setrlimit;
@@ -576,19 +495,24 @@ optional_policy(`
@@ -576,19 +495,25 @@ optional_policy(`
########################################
#
@ -55301,6 +55334,7 @@ index 191a66f..b11469c 100644
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+postfix_list_spool(postfix_postdrop_t)
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@ -55314,7 +55348,7 @@ index 191a66f..b11469c 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
@@ -603,10 +527,7 @@ optional_policy(`
@@ -603,10 +528,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@ -55326,7 +55360,7 @@ index 191a66f..b11469c 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
@@ -621,17 +542,23 @@ optional_policy(`
@@ -621,17 +543,23 @@ optional_policy(`
#######################################
#
@ -55353,7 +55387,7 @@ index 191a66f..b11469c 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -647,67 +574,77 @@ optional_policy(`
@@ -647,67 +575,77 @@ optional_policy(`
########################################
#
@ -55449,7 +55483,7 @@ index 191a66f..b11469c 100644
')
optional_policy(`
@@ -720,24 +657,27 @@ optional_policy(`
@@ -720,24 +658,27 @@ optional_policy(`
########################################
#
@ -55483,7 +55517,7 @@ index 191a66f..b11469c 100644
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
@@ -754,6 +694,7 @@ optional_policy(`
@@ -754,6 +695,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@ -55491,7 +55525,7 @@ index 191a66f..b11469c 100644
')
optional_policy(`
@@ -764,31 +705,100 @@ optional_policy(`
@@ -764,31 +706,100 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@ -64957,7 +64991,7 @@ index 56bc01f..cbca7aa 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
index 2c2de9a..bbe8875 100644
index 2c2de9a..aa4480c 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@ -65257,7 +65291,16 @@ index 2c2de9a..bbe8875 100644
')
#####################################
@@ -98,6 +354,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
@@ -79,7 +335,7 @@ optional_policy(`
# dlm_controld local policy
#
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
@@ -98,6 +354,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@ -65266,11 +65309,15 @@ index 2c2de9a..bbe8875 100644
+optional_policy(`
+ corosync_rw_tmpfs(dlm_controld_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_cluster(dlm_controld_t)
+')
+
#######################################
#
# fenced local policy
@@ -105,9 +367,13 @@ init_rw_script_tmp_files(dlm_controld_t)
@@ -105,9 +371,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };
@ -65285,7 +65332,7 @@ index 2c2de9a..bbe8875 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
@@ -118,9 +384,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
@@ -118,9 +388,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -65296,7 +65343,7 @@ index 2c2de9a..bbe8875 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
@@ -148,9 +413,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
@@ -148,9 +417,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@ -65307,7 +65354,7 @@ index 2c2de9a..bbe8875 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
@@ -160,7 +423,7 @@ term_getattr_pty_fs(fenced_t)
@@ -160,7 +427,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@ -65316,7 +65363,7 @@ index 2c2de9a..bbe8875 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
@@ -190,10 +453,6 @@ optional_policy(`
@@ -190,10 +457,6 @@ optional_policy(`
')
optional_policy(`
@ -65327,7 +65374,7 @@ index 2c2de9a..bbe8875 100644
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
@@ -203,6 +462,13 @@ optional_policy(`
@@ -203,6 +466,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@ -65341,7 +65388,7 @@ index 2c2de9a..bbe8875 100644
#######################################
#
# foghorn local policy
@@ -223,7 +489,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -223,7 +493,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t)
@ -65351,7 +65398,7 @@ index 2c2de9a..bbe8875 100644
optional_policy(`
dbus_connect_system_bus(foghorn_t)
@@ -257,6 +524,8 @@ storage_getattr_removable_dev(gfs_controld_t)
@@ -257,6 +528,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@ -65360,7 +65407,7 @@ index 2c2de9a..bbe8875 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
@@ -275,10 +544,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
@@ -275,10 +548,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@ -65373,7 +65420,7 @@ index 2c2de9a..bbe8875 100644
######################################
#
# qdiskd local policy
@@ -321,6 +590,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
@@ -321,6 +594,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@ -73079,7 +73126,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
index a34eac4..25ad7ec 100644
index a34eac4..b144d40 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@ -73219,7 +73266,7 @@ index a34eac4..25ad7ec 100644
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
+ virt_kill(sanlock_t)
+ virt_kill(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
@ -75771,7 +75818,7 @@ index e0644b5..ea347cc 100644
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
index 9ade9c5..efefceb 100644
index 9ade9c5..60d6c41 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
@ -75804,15 +75851,17 @@ index 9ade9c5..efefceb 100644
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
@@ -85,6 +91,8 @@ term_dontaudit_search_ptys(fsdaemon_t)
@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t)
application_signull(fsdaemon_t)
term_dontaudit_search_ptys(fsdaemon_t)
+auth_read_passwd(fsdaemon_t)
-application_signull(fsdaemon_t)
+domain_signull_all_domains(fsdaemon_t)
+
+auth_read_passwd(fsdaemon_t)
init_read_utmp(fsdaemon_t)
libs_exec_ld_so(fsdaemon_t)
@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t)
logging_send_syslog_msg(fsdaemon_t)
@ -76248,9 +76297,17 @@ index 0000000..92c3638
+
+sysnet_dns_name_resolve(smsd_t)
diff --git a/snmp.fc b/snmp.fc
index c73fa24..9018dbc 100644
index c73fa24..408ff61 100644
--- a/snmp.fc
+++ b/snmp.fc
@@ -1,6 +1,6 @@
/etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
@@ -10,9 +10,12 @@
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
@ -83495,7 +83552,7 @@ index cf118fd..cd80e83 100644
+ can_exec($1, consolehelper_exec_t)
+')
diff --git a/userhelper.te b/userhelper.te
index 274ed9c..9294dd6 100644
index 274ed9c..57a9c3d 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -1,15 +1,12 @@
@ -83516,7 +83573,7 @@ index 274ed9c..9294dd6 100644
type userhelper_conf_t;
files_config_file(userhelper_conf_t)
@@ -22,141 +19,71 @@ application_executable_file(consolehelper_exec_t)
@@ -22,141 +19,72 @@ application_executable_file(consolehelper_exec_t)
########################################
#
@ -83533,8 +83590,8 @@ index 274ed9c..9294dd6 100644
-dontaudit consolehelper_type userhelper_conf_t:file audit_access;
-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
+allow consolehelper_domain self:shm create_shm_perms;
+allow consolehelper_domain self:capability { setgid setuid dac_override };
+allow consolehelper_domain self:process signal;
+allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice };
+allow consolehelper_domain self:process { signal_perms getsched setsched };
-domain_use_interactive_fds(consolehelper_type)
+allow consolehelper_domain userhelper_conf_t:file audit_access;
@ -83600,6 +83657,7 @@ index 274ed9c..9294dd6 100644
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
+userdom_search_admin_dir(consolehelper_domain)
-tunable_policy(`use_samba_home_dirs',`
- fs_search_cifs(consolehelper_type)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 27%{?dist}
Release: 28%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -526,6 +526,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Apr 8 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-28
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
- Fixes for dlm_controld
- Fix apache_read_sys_content_rw_dirs() interface
- Allow logrotate to read /var/log/z-push dir
- Allow postfix_postdrop to acces postfix_public socket
- Allow sched_setscheduler for cupsd_t
- Add missing context for /usr/sbin/snmpd
- Allow consolehelper more access discovered by Tom London
- Allow fsdaemon to send signull to all domain
- Add port definition for osapi_compute port
- Allow unconfined to create /etc/hostname with correct labeling
- Add systemd_filetrans_named_hostname() interface
* Sat Apr 6 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-27
- Fix file_contexts.subs to label /run/lock correctly